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SECTION I 
INTRODUCTION 

1.1 Status of Multf-Level Security 

A major problem with computing: systems In the 
military today Is the lack of effective multi-level 
security controls. The term multi-level security controls 
means. In the most general case, those controls needed to 
process several levels of classified material from 
unclassified through compar tmen ted top secret in a 
multi-processing multi-user computer system with 

simultaneous access to the system by users with differing 
levels of clearances. The lack of such effective controls 
in all of today's computer operating systems has led the 
military to operate computers in a closed environment in 
which systems are dedicated to the highest level of 
classified material and all users are required to be 
cleared to that level. Systems may be changed from level 
to level, but only after going through very time consuming 
clearing operations on all devices in the system. Such 
dedicated systems result in extremely inpfficient 
equipment and manpower utilization and have often resulted 
In the acquisition of much more hardware than would 
otherv^ise be necessary. In addition, many operational 

requirements cannot be met by dedicated systems because of 
the lack of information sharing. It has been estimated by 
the Electronic Systems Division (ESD) sponsored Computer 
Security Technology Panel <AND73> that these additional 
costs may amount to $100,000,000 per year for the Air 
Force alone. 

1.2 Requirement for Multics Security Evaluation 

This evaluation of the security of the Multics 
system was performed under Project 6917, Program Element 
eiiyOSF to meet the requirements of the Air Force Data 
Services Center (AFDSC). AFDSC must provide responsive 
interactive time-shared computer services to users within 
the Pentagon at all classification levels from 
unclassified to top secret. AFDSC in particular did not 
wish to Incur the expense of multiple computer systems nor 
the expense of encryption devices for remote terminals 
which would otherwise be processing only unclassified 
material. In a separate study completed In February 1972, 
the Information Systems Technology Applications Office, 
Electronic Systems Division (ESD/MCI) Identified the 
Honeywell Multics system as a candidate to meet both 
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AFDSC's multi-level security requirements and highly 
responsive advanced Interactive time-sharing requirements. 

1.3 Technical Requirements for Multi-Level Security 

The ESD-sponsored Computer Security Technology 
Planning Study <AMD73> outlined the security weaknesses of 
present day computer systems and proposed a development 
plan to provide solutions based on current technology. A 
brief summary of the findings of the panel follows. 

1.3.1 Insecurity of Current Systems 

The Internal controls of current computers 
repeatedly have been shown Insecure through numerous 
penetration exercises on such systems as GCOS <ANn71>, 
VMVICCS GCOS <ING73, JTSA73>, and IBM OS/360/370 <nO!l72>. 
This Insecurity Is a fundamental weakness of contemporary 
operating systems and cannot be corrected by "patches", 
"fix-ups", or "add-ons" to those systems. Rather, a 
fundamental reimplemen ta 1 1 on using an Integrated 

hardware/software design which considers security as a 
fundamental requirement Is necessary. In particular, 

steps must be taken to ensure the correctness of the 
security related portions of the operating system. it Is 
not sufficient to use a team of experts to "test" the 
security controls of a system. Such a "tiger team" can 
only show the existence of vulnerabilities but cannot 
prove their non-existence. 

Unfortunately, the managers of successfully 
penetrated computer systems are very reluctant to permit 
release of the details of the penetrations. Thus, most 
reports of penetrations have severe (and often 
unjustified) distribution restrictions leaving very few 
documents in the public domain. Concealment of such 
penetrations does nothing to deter a sophisticated 
penetrator and can in fact Impede technical Interchange 
and delay the development of a proper solution. A system 
which contains vulnerabilities cannot be protected by 
keeping those vulnerabilities secret. It can only be 
protected by the constraining of physical access to the 
sys tem. 

1.3.2 Reference Monitor Concept 

The FSD Computer Security Technology Panel 
introduced the concept of a "reference monitor". This 
reference monitor Is that hardware/software combination 
which must monitor al 1 references by any program to any 
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data anywhere In the system to ensure that the security 
rules are followed. Three conditions must be met to 
ensure the security of a system based on a reference 
mon I tor. 

a. The monitor must be tamper proof. 

b. The monitor must be Invoked for every reference 
to data anywhere In the system. 

c. The monitor must be small enough to be proven 
correct . 

The stated design goals of contemporary systems 
such as GCOS or OS/360 are to meet the first requirement 
(albeit unsuccessfully). The second requirement Is 
generally not met by contemporary systems since they 
usually Include "bypasses" to permit special software to 
operate or must suspend the reference monitor to provide 
addressability for the operating system In exercising Its 
service functions. The best known of these Is the bypass 
In OS/360 for the IBM supplied service aid, IMASPZAP 
(SUPERZAP). <IBM70> Finally and most Important, current 
operating systems are so large, so complex, and so 
monolithic that one cannot begin to attempt a formal proof 
or certification of their correct Implementation. 

1.3.3 Hypothesis: Multics Is "Secureable" 

The computer security technology panel 
Identified the general class of descriptor driven 
processors (1) as extremely useful to the Implementation 
of a reference monitor. Multics, as the most 
sophisticated of the descriptor-driven systems currently 
available, was hypothesized to be a potentially secureable 
system; that Is, the Multics design was sufficiently 
well-organized and oriented towards security that the 
concept of a reference monitor could be Implemented for 
Multics without fundamental changes to the facilities seen 
by Multics users. In particular, the Multics ring 
mechanism could protect the monitor from malicious or 
Inadvertent tampering, and the Multics segmentation could 

(1) Descriptor driven processors use some form of address 
translation through hardware Interpretation of descriptor 
words or registers. Such systems include the Burroughs 
6700, the Digital Equipment i"orp. Pnp-ll/li5, the Data 
General Nova BhO, the DEC KI-10, the HIS 6180, thp IBM 
370/158 and 168, and several others not listed here. 
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enforce monitor mediation on every reference to data. 
However, the question of cer tif I abi I I ty had not as yet 
been addressed In Multlcs. Therefore the Multlcs 
vulnerability analysis described herein was undertaken to: 

a. Examine Multlcs for potential vulnerabilities. 

b. Identify whether a reference monitor was 
practical for Multlcs. 

c. Identify potential Interim enhancements to 
Multlcs to provide security In a benign (restricted 
access) environment. 

d. Determine the scope and dimension of a 
certification effort. 

l.k SI tes Used 

The vulnerability analysis described herein was 
carried out on the HIS 6kS Multlcs Systems Installed at 
the Massachusetts Institute of Technology and at the Rome 
Air Development Center. As the HIS 6180, the new Multlcs 
processor, was not available at the time of this study. 
This report will describe results of analysis of the HIS 
eUB only. Since the completion of the analysis, work has 
started on an evaluation of the security controls of 
Multlcs on the HIS 6180. Preliminary results of the work 
on the HIS 6180 are very briefly summarized In this 
report, to provide an understanding of the value of the 
evaluation of the HIS 6'i5 In the context of the new 
hardware environment. 
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SECTION II 
MULT ins SECURITY COMTROI.S 



This section provides a brief overview of the basic 
Multlcs security controls to provide necessary background 
for the discussion of the vulnerability analysis. 
However, a rather thorough knowledge of the Multics 
Implementation Is assumed throughout the rest of this 
document. More complete background material may be found 
in LIpner <LIP7»*>, Saltzer <SAL73>, Organick <ORG72>, and 
the Mgl ticg Programmers ' Manual <MPM73>. 

The basic security controls of Multics fall into 
three major areas; hardware controls, software controls, 
and procedural controls. This overview will touch briefly 
on each of these areas. 

2.1 Hardware Security Controls 

2.1.1 Segmentation Hardware 

The most fundamental security controls in the 
HIS 6»*5 Multics are found in the segmentation hardware. 
The basic instruction set of the 6»*5 can directly address 
up to 256K (2) distinct segments (3) at any one time, each 
segment being up to 256K words long, (.k) Segments are 
broken up into IK word pages (5) which can be moved 
between primary and secondary storage by software, 
creating a very large virtual memory. However, we will 
not treat paging throughout most of this evaluation as it 
is transparent to security. Paging must be implemented 



(2) IK = 102»* units. 

(3) Current software table sizes restrict a process to 
about 1000 segments. However, by increasing these table 
sizes, the full hardware potential may be used. 

(.k) The 6»*5 software restricted segments to 6»*K words for 
efficiency reasons. 

(5) The BUS hardware also supports 6k word pages which 
were not used. The 6180 supports only a single page size 
which can be varied by field modification from Sk words to 
iiOge words. Initially, a size of 102»* words is being 
used. The supervisors on both the 6»*5 and 6180 use 
unpaged segments of length mod Sk . 
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correctly fn a secure system. However, bu^s In pa^e 

control are generally difficult to exploit In a 

penetration, because the user has little or no control 
over paging operations. 

Segments are accessed by the 61*5 CPU through 
segment descriptor words (SDW's) that are stored in the 
descriptor segment (DSEG), (See Figure 1.) To access 
segment N, the SkS CPU uses a processor register, the 
descriptor segment base register (DBR), to find the DSRCi. 
It then accesses the Nth SDV/ in the DSEG to obtain the 
address of the segment and the access rights currently in 
force on that segment for the current user. 

Each SDVi contains the absolute address of the 
page table for the segment and the access control 
information. (See Figure 2.) The last 6 bits of the SDW 
determine the access rights to the segment - read, 
execute, write, etc. (6) Using these access control bits, 
the supervisor can protect the descriptor segment from 
unauthorized modification by denying access In the SDW for 
the descriptor segment. 

2.1.2 Master Mode 

To protect against unauthorized modification 
of the DBR, the processor operates in one of two states - 
master mode and slave mode. In master mode any 
Instruction may be executed and access control checks are 
inhibited. (7) In slave mode, certain instructions 
Including those which modify the DBR are inhibited. 
Master mode procedure segments are controlled by the class 
field In the SDVi. Slave mode procedures nay transfer to 
master mode procedures on 1 v through v/ord zero of the 
master mode procedure to prevent unrestricted invocation 
of privileged programs. It Is then the responsibility of 
the master mode software to protect itself from malicious 
calls by placing suitable protective routines beglnninn; at 
location zero. 



(6) A more detailed description of the SDV, format may be 
found in the 6lt5 processor manual <AGB71>. 

(7) The counterpart of master mode on the HIS 6180 called 
privileged mode does npt inhibit access control checking. 
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Figure 1. Segmentation Hardware 
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2.2 Software Security Controls 



outstanding feature of the Multics 

fs that they operate on a basis of 

the classical basis of "content". That 



The most 
securi ty control s 
"form" rather than 

is to say, the Multics controls are based on operations on 
a uniform population of well defined objects, as opposed 
to the classical controls which rely on anticipating all 
possible types of accesses and make security essentially a 
bat tie of wi ts . 

2.2.1 Protection Rings 

The primary software security control on the 
dkS Multics system is the ring mechanism. It was 
originally postulated as desirable to extend the 
traditional master/slave mode relationship of conventional 
machines to permit layering within the supervisor and 
within user code (see Graham <GRA68>). Fight concentric 
rings of protection, numbered 0-7, are defined with 
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hfgher numbered rings having less privilege than lower 
numbered rings, and with ring containing the "hardcore" 
supervisor. (8) Unfortunately, the 6U5 CPU does not 
Implement protection rings In hardware. (9) Therefore, 
the eight protection rings are Implemented by providing 
eight descriptor segments for each process (user), one 
descriptor segment per ring. Special fault codes are 
placed In those SDVJ's which can be used for cross-ring 
transfers so that ring software can Intervene and 
accomplish the descriptor segment swap between the calling 
and ca 1 led rings . 

2.2.2 Access Control Lists 

Segments In Multlcs are stored In a hierarchy 
of directories. A directory Is a special type of segment 
that Is not directly accessible to the user and provides a 
place to store names and other Information about 
subordinate segments and directories. Fach segment and 
directory has an access control list (ACL) In Its parent 
directory entry controlling who may read (r), write (w), 
or execute (e) the segment or obtain s.tatus (s) of, modify 
(m) entries In, or ^aPPend (a) entries to a directory. For 
example In Figure 3, the user Jones. Druid has read 
permission to segment ALPHA and has null access to segment 
BETA. However, Jones. Druid has modify permission to 
directory DELTA, so he can give himself access to segment 
BETA. Jones. Druid cannot give himself write access to 
segment ALPHA, because he does not have modify permission 
to directory GAMMA. In turn, the right to modify the 
access control lists of GAMMA and DELTA Is controlled by 
the access control list of directory EPSILON, stored In 
the parent of EPSILON. Access control security checks for 
segments are enforced by the ring software by setting 
the appropriate bits In the SDW at the time that a user 
attempts to add a segment to his address space. 



(8) The original design called for Sk rings, but this was 
reduced to 8 In 1971. 

(9) One of the primary enhancements of the HIS 6180 Is the 
addition of ring hardware <SCHR72> and a consequent 
elimination of the need for master mode procedures in the 
user ring. 
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2.2.3 Protected Access Identification 

In order to do access checking, the rin^ 
software must have a protected, non-forgeab I e 

identification of a user to compare with the ACL entries. 
This ID is established when a user si;!^ns on to Multics and 
is stored in the process data segment (PDS) which is 
accessible only in ring or in master mode, so that the 
user may not tamper with the data stored in the PDS. 

2.2.1* Master Mode Conventions 

By convention, to protect master mode 
software, the original design specified that master mode 
procedures were not to be used outside ring 0. If the 
master mode procedure ran in the user ring, the master 
mode procedure itself would be forced to play the endless 
game of wits of the classical supervisor call. The master 
mode procedure would have to include code to check for all 
possible combinations of input arguments, rather than 
relying on a fundamental set of argument independent 
security controls. As an aid (or perhaps hindrance) to 
playing the game of v/its, each master mode procedure must 
have a master mode pseudo-operation code assembled into 
location 0. The master mode pseudo-operation generates 
code to test an index register for a value corresponding 
to an entry point in the segment. If the index register 
is invalid, the master mode pseudo-operation code saves 
the registers for debugging and brings the system dov/n. 

2.3 Procedural Security Controls 

2.3.1 Enciphered Passwords 

VJhen a user logs in to Multics, he types a 
password as his primary authentication. Of course, the 
access control list of the password file denies access to 
regular users of the system. In addition, as a protection 
against loss of a system dump which could contain the 
password file, all passwords are stored in a 
"non- I nver t ib le" cipher form. When a user types his 
password, it is enciphered and compared with the stored 
enciphered version for validity. Clear text passwords are 
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stored nowhere fn the system. 

2.3.2 LoRin Audi t Tral 1 

Each 1oj5jIn and logout Is carefully audited to 
check for attempts to /^uess valid user passwords. In 
addition, each user Is Informed of the date, time and 
terminal Identification (if any) of last lopin to detect 
past compromises of the user's access rip;hts. Further, 
the user is told the number of times his passv^ord has been 
given Incorrectly since Its last correct use. 

2.3.3 Software Maintenance Procedures 

The maintenance of the Multics software is 
carried out online on a dial-up Multics facility. A 
systems programmer prepares and nominally debugs his 
software for ins ta 1 la t Ion. He then submits his softv^are 
to a library installer who copies and recompiles the 
source in a protected directory. The library installer 
then checks out the new software prior to installing it in 
the system source and object libraries. Ring software 
Is stored on a system tape that is reloaded into the 
system each time It is brought up. However, new system 
tapes are generated from online copies of the ring 
software. The system libraries are protected against 
modification by the standard ACL mechanism. in addition, 
the library Installers periodically check the date/time 
last modified of all segments in the library in an attempt 
to detect unauthorized modifications. 
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SECTION III 
VULNERABILITY ANALYSIS 



3.1 Approach Plan 

It was hypothesized that although the fundamental 
design characteristics of Multlcs were sound, the 
Implementation was carried out on an ad hoc basis and had 
security weaknesses In each of the three areas of security 
controls described In Section II - hardware, software, and 
procedures. 

The analysis was to be carried out on a very 
limited basis with a less than one-half man month per 
month level of effort. Due to the manpower restrictions, 
a goal of one vulnerability per security control area was 
set. The procedure followed was to postulate a weakness 
in a general area, verify the weakness In the system, 
experiment with the weakness on the Rome Air Development 
Center (RADC) installation, and finally, using the 
resulting debugged penetration approach, exploit the 
weakness on the MIT installation. 

An attempt was to be made to operate with the same 
type of ground rules under which a real agent would 
operate. That is, with each penetration, an attempt would 
be made to extract or modify sensitive system data without 
detection by the system maintenance or administrative 
personnel . 

Several exploitations were successfully 
investigated. These Included changing access fields In 
SDW's, changing protected Identities in the PDS, Inserting 
trap doors into the system libraries, and accessing the 
system password file. 

3.2 Hardware Vulnerabilities 
3.2.1 Random Failures 

One area of significant concern in a system 
processing multi-level classified material is that of 
random hardware failures. As described in Section 2.1.1, 
the fundamental security of the system Is dependent on the 
correct operation of the segmentation hardware. If this 
hardware Is prone to error, potential security 
vulnerabilities become a significant problem. 
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To attempt a gross measure of the rate of 
security sensitive component failure, a procedure called 
the "subverter" was written to sample the security 
sensitive hardware on a frequent basis, testing for 
component failures which could compromise the security 
controls. The subverter was run in the background of an 
interactive process. Once each minute, the subverter 
received a timer Interrupt and performed one test from the 
list described below. Assuming the test did not 
successfully violate security rules, the subverter would 
go to sleep for one minute before trying the next test. A 
listing of the subverter may be found In Appendix A. 

The subverter was run for 1100 hours in a one 
year period on the MIT 6J*5 system. The number of times 
each test was attempted is shown in Table 1. During the 
1100 operating hours, no security sensitive hardware 
component failures were detected, indicating good 
reliability for the 5»*5 security hardware. However, two 
interesting anomalies were discovered In the tests. 
First, one undocumented Instruction (octal J*71) was 
discovered on the 5»*5. Experimentation Indicated that the 
new instruction had no obvious Impact on security, but 
merely seemed to store some Internal register of no 
particular Interest. The second anomaly was a design 
error resulting in an algorithmic failure of the hardware 
described In Section 3.2.2. 
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tablf: 1 

Subverter Test Attempts 
1100 Operating Hours 



Test Name 



1. Clear Associative Memory 

2. Store Control Unl t 

3. Load Timer Register 
k. Load Descriptor Base Register 

5. Store Descriptor Base Register 

6. Connect I/O Channel 

7. Delay Until Interupt Signal 

8. Read Memory Controller Mask Register 

9. Set Memory Controller Mask Register 

10. Set Memory Controller Interrupt Cells 

11. Load Alarm Clock 

12. Load Associative Memory 

13. Store Associative Memory 
Ik. Restore Control Unit 

15. No Read Permission 

16. No VJrl te Permission 

17. XED - No Read Permission 

18. XED - No Write Permission 

19. Tally Word Without Write Permission 

20. Bounds Fault <6«iK 

21. Bounds Fault >6«iK 

22. Illegal Opcodes 

Tests I-IU are tests of master mode Instructions. 
Tests 15 and 16 attempt simple violation of read and write 
permission as set on segment ACL's. Tests 17 and 18 are 
identical to 15 and 16 except that the faulting 
Instructions are reached from an Execute Double 
instruction rather than normal instruction flow. Test 19 
attempts to Increment a tally word that is In a segment 
without write permission. Tests 20 and 21 take out of 
bounds faults on segments of zero length, forcing the 
supervisor to grow new page tables for them. Test 2 2 
attempts execution of all the Instructions marked Illegal 
on the 6*15. 



At tempts 


3 526 


3'i66 


5kkk 


3«i22 


3«i03 


3378 


3359 


55kk 


3328 


3309 


3289 


3259 


3236 


3219 


31«i8 


3131 


3113 


3098 


3083 


2398 


2368 


2108 
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3.2.2 Execute Instruction Access Check Bypass 

While experimenting with the hardware 
subverter, a sequence of code (10) was observed which 
would cause the hardware of the 6i+5 to bypass access 
checking. Specifically, the execute Instruction In 
certain cases described below would permit the executed 
Instruction to access a segment for reading or writing 
without the corresponding permissions in the SDW. 

This vulnerability occurred when the execute 
Instruction was In certain restricted locations of a 
segment with at least read-execute (re) permission. (See 
Figure k.) The execute Instruction then referenced an 
object instruction In word zero of a second segment with 
at least R permission. The object Instruction Indirected 
through an ITS pointer In the first segment to access a 
word for reading or writing in a third segment. The third 
segment was required to be "active"; that Is, to have an 
SDW pointing to a valid page table for the segment. If 
all these conditions were met precisely , the access 
control fields in the SDW of the third segment would be 
Ignored and the object instruction permitted to complete 
without access checks. 

The exact layout of Instructions and indirect 
words was crucial. For example. If the object Instruction 
used a base register rather than indirectlng through the 
segment containing the execute Instruction (I.e., staq 
apjO rather than staq 6,*), then the access checks were 
done properly. Unfortunately, a complete schematic of the 
Qk5 was not available to determine the exact cause of the 
bypass. In informal communications with Honeywell, It was 
Indicated that the error was introduced in a field 
modification to the 6i+5 at MIT and was then made to all 
processors at all other sites. 

This hardware bug represents a violation of 
one of the most fundamental rules of the Multlcs design - 
the checking of every reference to a segment by the 
hardware. This bug was not caused by fundamental design 
problems. Rather, It was caused by carelessness by the 
hardv,/are engineering personnel. 

(10) The subverter was designed to test sequences of code 
in which single failures could lead to security problems. 
Some of these sequences exercised relatively complex and 
infrequently used instruction modifications which 
experience had shown were prone to error. 



20 



To loam how to use OCR and PDF C. -n go to our 



bp -►O 



-^-— s. 


►O 

1 
2 


re 


Access 




(ENTER y 






^--^ ^^ 














xec 


bpjO 




^ — "' 


4 
7 




r Access 






null Access 


sta;q6,* ^ 


■ 


^ 








ITS 
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No attempt was made to make a complete search 
for additional hardware desln;n buKS, as this would have 
required logic dia^^rams for the 6U5. It was sufficient 
for this effort to demonstrate one vulnerability in this 
area. 

3.2.3 Preview of 6180 Hardware Vulnerabilities 

While no detailed look has been taken at the 
Issue of hardware vulnerabilities on the 6180, the very 
first login of an ESD analyst to the 6180 Inadvertently 
discovered a hardware vulnerability that crashed the 
system. The vul nerab I 1 1 ty v^/as found In the Tally l/ord 
Without Write Permission test of the subverter. in this 
test, when the 6180 processor encountered the tally word 
without write permission, it signalled a "trouble" fault 
rather than an "access violation" fault. The "trouble" 
fault Is normally signalled only when a fault occurs 
during the signalling of a fault. Unon encoun ter i ntr a 
"trouble" fault, the software normally brings the system 
down . 

It should be noted that the fllS 6180 contains 
very new and complex hardv/are that, as of this 
publication, has not been completely "shaken down". Thus, 
Honeywell still quite reasonably expects to find hardware 
problems. However, the Inadequacy of "testing" for 
security vulnerabilities applies equally well to hardware 
as to software. Simply "shaking down" the hardware cannot 
find all the possible vulnerabilities. 

3.3 Software Vulnerabilities 

Although the approach plan for the vulnerability 
analysis only called for locating one example of each 
class of vulnerability, three software vulnerabilities 
were identified as shown below. Again, the search was 
neither exhaustive nor systematic. 

3.3.1 Insufficient Argument Validation 

Because the 6U5 Multlcs system must simulate 
protection rings In software, there is no direct hardware 
validation of arguments passed in a subroutine call fron a 
less privileged ring to a more privileged ring. Some form 
of validation is required, because a malicious user could 
call a ring routine that stores Information through a 
user supplied pointer. If the malicious user supplied a 
pointer to data to which ring had v.tI te permission but 
to v/hlch the user ring did not, ring could ^e "tricked" 
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Into causing a security violation. 

To provide validation, the 6U5 softv^are rinp: 
crossing mechanism requires all gate segments (11) to 
declare to the "gatekeeper" the following Information: 

1. number of arguments expected 

2. data type of each arguments 

3. access requirements for each argument- 
read only or read/write. 

This Information Is stored by convention In specified 
locations within the gate segment. (12) The "gatekeeper" 
Invokes an argument validation routine that Inspects the 
argument list being passed to the gate to ensure that the 
declared requirements are met. if any test falls, the 
argument validator aborts the call and signals the 
condition "gate_error" In the calling ring. 

In February 1973, a vulnerability was 
Identified In the argument validator that would permit the 
"fooling" of ring programs. The argument validator's 
algorithm to validate read or read/write permission was as 
follows: First copy the argument list Into ring to 
prevent modification of the argument list by a process 
running on another CPU In the system while the first 
process Is In ring and has completed argument 
validation. Next, force Indirection through each argument 
pointer to obtain the segment number of the target 
argument. Then look up the segment In the calling ring's 
descriptor segment to check for read or write permission. 

The vulnerability Is as follows: (See figure 
5.) An argument pointer supplied by the user Is 
constructed to contain an IDC modifier (increment address, 
decrement tally, and continue) that causes the first 
reference through the Indirect chain to address a valid 
argument. This first reference is the one made by the 



(11) A gate segment Is a segment used to cross rings. It 
Is identified by R2 and R3 of its ring brackets Rl, R2, R3 
being different. See Organick <ORG72> for a detailed 
description of ring brackets. 

(12) For the convenience of authors of gates, a special 
"gate language" and "gate compiler" are provided to 
generate properly formatted gates. Using this language, 
the author of the gate can declare the data type and 
access requirement of each argument. 
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argument validator. The reference tbrou";h the IPr 
modlffer Increments the address field of the tally word 
causing ft to point to a different Indirect word which In 
turn points to a different ITS pointer which points to an 
argument which Is writable in ring only. The second 
reference through this modified indirect chain is made by 
the ring program which proceeds to write data where it 
shouldn't. (13) 

This vulnerability resulted from violation of 
a basic rule of the Multlcs design - that all arguments to 
a more privileged ring be validated. The problem was not 
In the fundamental design - the concept of a software 
argument validator is sound given the lacl< of ring 
hardv^are. The problem was an ad hoc implementation of 
that argument validator which overlool<ed a class of 
argument pointers. 

independently, a change was made to the f'lT 
system which fixed this vulnerability in February 1975. 
The presence and explol tab I 1 1 ty of the vulnerability vjere 
verified on the RADC M.ultlcs which had not been updated to 
the version running at MIT. The method of correction 
chosen by MIT was rather "brute force." The argument 
validator was changed to require the modifier In the 
second word of each argument pointer always to be zero. 
This requirement solves the specific problem of the IPC 
modifier, but not the general problem of argument 
val I da tlon. 

3.3.2 Master Mode Transfer 

As described In Sections 2.1.2 and 2.2.4, the 
645 CPU has a master mode In which privileged instructions 
may be executed and In which access checking is inhibited 
although address translation through segment and page 
tables is retained. (14) The original design of the 
Multlcs protection rings called for master mode code to be 



(13) Depending on the actual number of references made, 
the malicious user need only vary the number of indirect 
words pointing to legal and Illegal arguments. We have 
assumed for simplicity here that the validator and the 
ring program make only one reference each. 

(14) The 645 also has an absolute mode In which all 
addresses are absolute core addresses rather than being 
translated by the segmentation hardware. This mode is 
used only to initialize the system. 
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restricted to ring by convention. (15) This convention 
caused the fault handling mechanism to be excessively 
expensive due to the necessity of sv/ltchlng from the user 
ring Into ring and out again using the full software 
ring crossing mechanism. It was therefore proposed and 
Implemented that the signal ler . the module responsible for 
processing faults to be signalled to the user, (16) be 
permitted to run In the user ring to speed up fault 
processing. The signaller is a master mode procedure, 
because It must execute the RCU (Restore £ontrol Unit) 
instruction to restart a process after a fault. 

The decision to move the signaller to the user 
ring was not felt to be a security problem by the system 
designers, because master mode procedures could only be 
entered at word zero. The signaller v^fould be assembled 
with the master mode pseudo-operation code at word zero to 
protect It from any malicious attempt by a user to execute 
an arbitrary sequence of instructions within the 
procedure. It was also proposed, although never 
Implemented, that the code of master mode procedures in 
the user ring be specially audited. However as we shall 
see in Section 5.k,k, auditing does not guarantee victory 
In the "battle of wits" between the Implementor and the 
penetrator. Auditing cannot be used to make up for 
fundamental security weaknesses. 

It was postulated in the ESD/MCI vulnerability 
analysis that master mode procedures in the user r\nr, 
represent a fundamental violation of the Multics security 
concept. Violating this concept moves the security 
controls from the basic hardware/software mechanism to the 
cleverness of the systems programmer who, being human, 
makes mistakes and commits oversights. The master mode 
procedures become classical "supervisor calls" with no 
rules for "sufficient" security checks. In fact, upon 
close examination of the signaller, this hypothesis v/as 
found to be true. 



(15) This convention Is enforced on the 6180. Privileged 
mode (the 6180 analogy to the 6U5 master node) only has 
effect In ring 0. Outside ring 0, the hardware Ignores 
the privileged mode bit. 

(16) The signaller processed such faults as "zerodlvlde" 
and access violation which are signalled to the user. 
Page faults and segment faults which the user never sees 
are processed elsewhere in ring 0. 
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The master mode pseudo-operation code was 
designed only to protect master mode procedures from 
random calls within ring 0. It was not designed to 
withstand the attack of a malicious user, but only to 
operate In the relatively benign environment of ring 0. 

The master mode program shown In Figure 6 
assembles into the interpreted object code shown in Figure 
7. The master mode procedure can only be entered at 



Miao LCI liiuuc atTHuenct: ctiecK to ensure tnat inuex register 
zero Is In bounds. If it Is, the transfer on no carry 
(tnc) Instruction Indlrects through the transfer vector to 
the proper entry. If index register zero is out of 
bounds, the processor registers are saved for debugging 
and control is transferred to "mxerror," a routine to 
crash the system because of an unrecoverable error. 

This transfer to mxerror Is the most obvious 
vulnerability. By moving the signaller Into the user 
rinii, the designers allowed a user to arbitrarily crash 
the system by transferring to signaller|0 with a bad value 
in Index register zero. This vulnerability is not too 
serious, since It does not compromise information and 
could be repaired by changing mxerror to handle the error, 
rather than crashing the system. 

flowever, there Is a much more subtle and 
dangerous vulnerability here. The tra lp|12,* instruction 
that Is used to call mxerror believes that the Ip register 
points to the linkage section of the signaller, which it 
should if the call were legitimate. However, a malicious 
user may set the Ip register to point wherever he wishes, 
P-errpJ-L ting iiim lo transfer to SJI a rbi tra rv location whi le 
the QPU j_s sti 1 1 in master mode . The key is the transfer 
in master mode, because this permits a transfer to an 
arbitrary location within another master mode procedure 
without access checking and without the restriction of 
entering at word zero. Thus, the penetrator need only 
find a convenient store instruction to be able to write 
into his own descriptor segment, for example. Figure 2 
shows the use of a sta bp|0 Instruction to change the 
contents of an SDW illegally. 



(17) This restriction is enforced by hardware described in 
Section 2.1.2. 



27 



To leam how to use OCR and PDF C an go to out 





name master_test 




mastermode 




entry a 




entry b 
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b: 
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end 



Figure 5. Master Mode Source Code 



a: code 

• • • 

b: code 



cmpxO 2,du "call In bounds? 

tnc transf er_vector, "Yes, go to entry 

stb sp|0 "I llegal cal 1 here 

sreg spjlO "save registers 

eapap argllst "set up call 

stcd sp|2it 

tra lp|12,* "1p|12 points to mxerror 



ransf er_vector : 




tra 


a 


tra 


b 


end 





Figure 7. Master Mode Interpreted Object Code 
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Figure 8. Store with Master Mode Transfer 
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There Is one major difficulty in exploiting; 
this vulnerability. The instruction to which control is 
transferred must be chosen with extreme care. The 
instructions immediately following the store must provide 
some orderly means of returning control to the malicious 
user without doing uncontrolled damage to the system. If 

a crucial data base is garbled, the system will crash 
leaving a core dump which could incriminate the 
penetrator. 

This vulnerability was identified by ESD/MGI 
in June 1972. An attempt to use the vulnerability led to 
a system crash for the following reason: Due to an 
obsolete listing of the signaller, the transfer was nado 
to an LDBR (JLoad Descriptor lase Register) instruction 
instead of the expected store instruction. The DBR v/as 
loaded with a garbled value, and the system promptly 
crashed. The system maintenance personnel, being unaware 
of the presence of an active penetration, attributed the 
crash to a disl< read error. 

The Master Mode Transfer vulnerability 
resulted from a violation of the fundamental rule that 
master mode code shall not be executed outside ring 0. 
The violation was not made maliciously by the system 
implementors. Rather it occurs because of the interaction 
of two seemingly independent events: the ability to 
transfer via the Ip without the system being able to checl< 
the validity of the Ip setting, and the ability for that 
transfer to be to master mode code. The separation of 
these events made the recognition of the problem unli[<ely 
during implementation. 

3.3.3 Unlocl<ed Stacl< Base 

The 6k5 CPU has eight 18-b I t registers that 
are used for inter-segment references. Control bits are 
associated with each register to allow ft to be paired 
with another register as a word number-segment number 
pair.^ In addition, each register has a lock bit, settable 
only in master mode, v/hich protects its contents from 
modification. By convention, the eight registers ar*^ 
named and paired as shown in Table 2. 



30 



To leam how to use OCR and PDF C. <}n go to out 



Number 


N^me 





ap 


1 


ab 


2 


bp 


3 


bb 



TABLE 2 
Rase Register PafrlriR 

Use Pal ri ns; 

argument pointer paired with ab 

argument base unpaired 

unasslgned paired with bb 

unasslgned unpaired 

h Ip linkage pointer paired with lb 

5 lb linkage base unpaired 

6 sp stack pointer paired with sh 

7 sb stack base unpaired 

During the early design of the Multirs 
operating system, it was felt that the ring code could 
be simplified If the stack base (sb) register were locked, 
that is, could only be modified in master mode. The sb 
contained the segment number of the user stack which was 
guaranteed to be wrlteable. If the sb were locked, then 
the ring fault and interrupt handlers could have 
convenient areas in which to store stack frames. After 
Multics had been released to users at MIT, it v;as realized 
that locking the stack base unnecessarily constrained 
language designers. Some languages would be extremely 
difficult to implement without the capability of quickly 
and easily switching between stack segments. Therefore, 
the system was modified to no longer lock the stack base. 

VJhen the stack base was unlocked, it was 
realized that there was code scattered throughout ring 
which assumed that the sb always pointed to the stack. 
Therefore, ring was "audited" for all code which 
depended on the locked stack base. However, the audit was 
never completed and the few dependencies identified were 
in general not repaired until much later. 

As part of the vulnerability analysis, it v/as 
hypothesized that such an audit for unlocked stack base 
problems was presumably incomplete. The ring code is so 
large that a subtle dependency on the sb register could 
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easily slip by an aud f tor 's not Ice. This, fn fact proved 
to be true as shown below: 

Section 3.3.2 showed that the master mode 
pseudo-operation code believed the value In the Ip 
register and transferred through It. Figure 7 shows that 
the master mode pseudo-operation code also depends on the 
sb pointing to a writeable stack segment. When an Illegal 
master mode call Is made, the registers are saved on the 
stack prior to calling "mxerror" to crash the system. 
This code was designed prior to the unlocking of the stack 
base and was not detected In the system audit. The 
malicious user need only set the sp-sb pair to point 
anywhere to perform an Illegal store of the registers with 
master mode privileges. 

The exploitation of the unlocked stack base 
vulnerability was a two step procedure. The master mode 
pseudo-operation code stored al 1 the processor registers 
In an area over 20 words long. This area was far too 
large for use in a system penetration in which at most one 
or two words are modified to give the agent the privileges 
he requires. However, storing a large number of words 
could be very useful to install a "trap door" In the 
system — that is a sequence of code which when properly 
invoked provides the penetrator with' the needed tools to 
subvert the system. Such a "trap door" must be well 
hidden to avoid accidental discovery by the system 
maintenance personnel. 

It was noted that the linkage segments of 
several of the ring master mode procedures were 
preserved as separate segments rather than being combined 
in a single linkage segment. Further, these linkage 
segments were themselves master mode procedures. Thus, 
segments such as signaller, fim, and emergency_shu tdown 
had corresponding master mode linkage segments 
s ignal ler. 1 Ink, flm.link, and emergency_shu tdown. 1 i nk . 
Linkage segments contain a great deal of Information used 
only by the binder and therefore contain a great deal of 
extraneous Information In ring 0. For this reason, a 
master mode linkage segment Is an ideal place to conceal a 
"trap door." There is a master mode procedure called 
emergency_shutdown that is used to place the system in a 
consistent state in the event of a crash. Since 
emergency_shu tdown Is used only at the time of a system 
crash, its linkage segment, emergency_shutdown. 1 ink, was 
chosen to be used for the "trap door". 
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The first step of the exploitation of the 
unlocl<ecl stacl< base is shown in Fipiure 9. (18) The 
signaller is entered at location with an invalid index 
register 0. The stack pointer is set to point to an area 
of extraneous storage in emer?:ency_shutdov/n. 1 ink. The AH 
register contains a two instruction "trap door" which when 
executed in master mode can load or store any 36-bI t word 
in the system. The index registers could be used to hold 
a longer "trap door"; however, in this case the xed bp|0, 
tra bp|2 sequence is sufficient. The base registers, 
index registers, and AQ register are stored into 
emergency_shutdov;n. 1 ink, thus laying the "trap door". 
Finally a transfer is made indirect through lp|12 which 
has been pre-set as a return pointer. (19) 

Step two of the exploitation of the unlocked 
stack base is shown in Figure 10. The calling program 
sets the bp register to point to the desired instruction 
pair and transfers to word zero of the signaller with an 
invalid value in index register 0. The signaller saves 
its registers on the user's stack frame since the sp has 
not been changed. It then transfers indirect through 
lp|12 which has been set to point to the "trap door" in 
emergency_shutdown. 1 ink. The first Instruction of the 
"trap door" is an execute double (XEP) which permits the 
user (penetration agent) to specify any tv7o arbitrary 
instructions to be executed In. mas ter mode . In this 
example, the instruction pair loads the n register from a 
word in the stack frame (20) and then stores Indirect 
through a pointer in the stack to an SDl' In the descriptor 
segment. The second instruction in the "trap door" 
transfers back to the calling program, and the penetrator 
may go about his business. 



(18) Listings of the code used to exploit this 
vulnerability are. found in Appendix B, 

(19) This transfer uses the Master fiode Transfer 
vulnerability to return. This is done primarily for 
convenience. The fundamental vulnerability is the storing 
through the sp register. Without the Master fiode 
Transfer, exploitation of the Unlocked Stack Base v^ould 
have been more difficult, although far from impossible. 

(20) It should be noted that only step one changed the 
value of the sp. In step two, it is very useful to leave 
the sp pointing to a valid stack frame. 
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Figure 9. Unlocked Stack Base (Step 1) 
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Figure 10. Unlocked Stack Base (Step 2) 
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The "trap door" inserted In 

emerKency_shutdown. Unk remained in the system until the 
system was reinitialized. (21) At I nl tl al Izat Ion tine, a 
fresh copy of all ring zero segments Is read In from the 
system tape erasing the "trap door". Since system 
Initializations occur at least once per day, the 
penetrator must execute step one before each of his 
working sessions. Step two Is then executed each time he 
wishes to access or modify some word In the system. 

The unlocked stack base vulnerability was 
Identified In June 1972 with the Master Mode Transfer 
Vulnerability. It was developed and used at the RADf site 
In September 1972 without a single system crash. In 

October 1972, the code was transferred to the MIT site. 
Due to lack of good telecommunications between the two 
sites, the code was manually retyped Into the MIT system. 
A typing mistake was made that caused the word to be 
stored Into the SDV/ to always be zero (See Figure 10). 
When an attempt was made to set slave access-data In the 
SDW of the descriptor segment Itself, (22) the SDW of the 
descriptor segment v^as set to zero causing the system to 
crash at the next LDBR Instruction or segment Initiation. 
The bug was recognized and corrected Immediately, but 
later In the day, a second crash occurred when the SDVJ for 
the ring zero segment fim (the fault intercept module) was 
patched to slave access-write permit-data rather than 
slave access-write permit-slave procedure. In more 

straightforward terms, the SDVJ was set to read-write 
rather than read-wr I te-execu te. Therefore, when the 
system next attempted to execute the fim it took a 
no-execute permission fault and tried to execute the fim, 
thus entering an Infinite loop crashing the system. 

3.3.U Preview of 6180 Software Vulnerabilities 

The 6180 hardware Implementation of rings 
renders invalid the attacks described here on the SkS. 
This Is not to say, however, that the 6180 f'ultlcs Is free 
of vulnerabilities. A cursory examination of the 6180 
software has revealed the existence of several software 
vulnerabilities, any one of which can be used to access 



(21) See Section 5.k.5 for more lasting "trap doors". 

(22) The attempt here was to dump the contents of the 
descriptor segment on the terminal. The user does not 
normally have read permission to his own descriptor 
segment. 
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any Information In the system. These vulnerabilities were 
Identified with comparable levels of effort to those shown 
In Sect Ion 3.5. 

3.3.J*.l No Call LIml ter Vulnerability 

The first vulnerability Is the Ho Call 
LImlter vulnerability. This vulnerability was caused by 
the call llmlter not being set on gate segments, allowing 
the user to transfer to any Instruction within the gate 
rather than to just an entry transfer vector. This 
vulnerability gives the penetrator the same capabilities 
as the Master Mode Transfer vulnerability. 

3.3.U.2 SLT-KST Dual SDVi Vulnerability 

The second vulnerability is the SLT-KST 
Dual SDW vulnerability. When a user process was created 
on the 645, separate descriptor segments were created for 
each ring, with the ring SDW's being copied from the 
segment loading table (SLT). The ring descriptor 
segment was essentially a copy of the SLT for ring 
segments. The ring k descriptor segment zeroed out most 
SDW's for ring segments. Non-ring SDVJ's were added to 
both the ring and ring k descriptor segments from the 
Known Segment Table (KST) during segment Initiation. Upon 
conversion to the 6180, the separate descriptor segments 
for each ring were merged into one descriptor segment 
containing ring brackets In each SDVI <!PC73>. The ring 
SDW's were still taken from the SLT and the non-ring 
SDW's from the KST as on the 6»*5. 

The system contains several gates from 
ring k into ring of varying levels of privilege. The 
least privileged gate Is called hcs_ and may be used by 
all users in ring U. The most privileged gate is called 
hphcs_ and may only be called by system administration 
personnel. The gate hphcs_ contains routines to shut the 
system down, access any segment in the system, and patch 
ring data bases. If a user attempts to call hphcs_ In 
the normal fashion, hphcs_ is entered Into the KST, an SOW 
is assigned, and access rights are determined from the 
access control list stored in hphcs_'s parent directory. 
Since most users would not be on the access control list 
of hphcs_, access would be denied. Ring gates, however, 
also have a second segment number assigned from the 
segment loading table (SLT). This duplication posed no 
problem on the 6»*5, since SLT SDW's were valid only in the 
ring descriptor segment. However on the 6180, the KST 
SDW for hphcs_ v;ould be null access ring brackets 0,0,5, 
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but the SLT SDVJ would read-execute (re) access, ring 
brackets 0,0,5. Therefore, the penetrator need only 
transfer to the appropriate absolute segment number rather 
than using dynamic linking to gain access to any hphcs_ 
capability. This vulnerability was considerably easier to 
use than any of the others and was carried through 
Identification, confirmation, and exploitation in less 
than 5 man-hours total (See Section 3.5). 

3.3.«t.3 Additional Vulnerabilities 

The above mentioned 6180 vulnerabilities 
have been Identified and repaired by Honeywell. The 
capabilities of the SLT-KST Dual SOW vulnerability were 
demonstrated to Honeywell on Ik September 1973 In the form 
of an Illegal message to the operator's console at the 
6180 site In the Honeywell plant In Phoenix, Arizona. 
Honeywell did not Identify the cause of the vulnerability 
until March I9 7«t and Installed a fix In Multlcs System 
23.6. As of the time of this publication, additional 
vulnerabilities have been Identified but at this time have 
not been developed Into a demonstration. 

3.'* Procedural Vulnerabilities 

This section describes the exploitation by a 
remote user of several classes of procedural 
vulnerabilities. No attempt was made to penetrate 
physical security, as there were many admitted 
vulnerabilities In this area. In particular, the machine 
room was not secure and communications lines were not 
encrypted. Rather, this section looks at the areas of 
auditing, system configuration control, (23) passwords, 
and "privileged" users. 

3.U.1 Dump and Patch Utilities 

To provide support to the system maintenance 
personnel, the Multlcs system Includes commands to dump or 
patch any word In the entire virtual memory. These 

(23) System configuration control Is a term derived from 
Air Force procurement procedures and refers to the control 
and management of the hardware and software being used In 
a system with particular attention to the software update 
tasks. It Is not to be confused with the I'ultlcs dynamic 
reconfiguration capability which permits the system to add 
and delete processors and memories while the system Is 
runn Ing. 
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utilities are used to make online repairs while the system 
continues to run. Clearly these commands are very 
dangerous, since they can bypass all security controls to 
access otherwise protected Information, and If misused, 
can cause the system to crash by prarbllnpr critical data 
bases. To protect the system, these commands are 
Implemented by special privileged j^ates Into rinp; zero. 
The access control lists on these ^ates restrict their use 
to system maintenance personnel by name as authenticated 
by the login procedure. Thus an ordinary user nominally 
cannot access these utilities. To further nrotect the 
system, the patch utility records on the system operator's 
console every patch that Is made. Thus, if an unexpected 
or unauthorized patch Is made, the system operator can 
take Immediate action by shutting the system dov/n If 
necessary. 

Clearly dump and patch utilities would he of 
p;reat use to a system penetrator, since they can be used 
to facilitate his job. Procedural controls on the system 
dump and patch routines preve:nt the penetrator from using 
them by the ACL restrictions and the audit trail. However 
by using the softv^are vulnerabilities described in section 
3.3, these procedural controls may be bypassed and the 
penetration agent can implement his own dump and patch 
utilities as described below. 

Dump and patch utilities were implemented on 
Multlcs using the Unlocked Stack Hase and Insufficient 
Argument Validation vulnerabilities. These two 
vulnerabilities demonstrated two basically different 
strategies for accessing protected sesrments. These tv/o 
strategies developed from the fact that the Unlocked Stack 
Rase vulnerability operates In ring k master mode, while 
the Insufficient Argument Validation vulnerability 
operates In ring slave mode. In addition, there was a 
requirement that a minimal amount of time be spent with 
the processor In an anomalous state - ring k master mode 
or ring Illegal code. When the processor Is In an 
anomalous state, unexpected Interrupts or events could 
cause the penetrator to be exposed In a system crash. 

3.U.1.1 Use of Insufficient Argument Validation 

As was mentioned above, the !1IS 6k5 
Implementation of Multlcs simulates protection rings by 
providing one descriptor segment for each ring. Patch and 
dump utilities can be implemented using the Insufficient 
Argument Validation vulnerability by realizing that the 
ring zero descriptor segment will have entries for 
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segments which are not accessible from rin^ k. 
Conceptually, one could copy an SOW for some segment from 
the ring descriptor segment to the ring k descriptor 
segment and be guaranteed at least as much access as 
available In ring 0. Since the segment number of a 
segment Is the same In all rings, this approach Is very 
easy to Implement. 

The exact algorithm Is shown In flow 
chart form In Figure 11. In block 2 of the flow chart, 
the ring k SDW Is read from the rInK h descriptor segment 
(wdseg) using the Insufficient Argument Validation 
vulnerability. Next the ring SDK' Is read from the ring 
descriptor segment (dseg). The ring SOV must now be 
checked for validity, since the segment nay not be 
accessible even In ring 0. (2k) An Invalid snv is 
represented by all 36 bits being zero. One danger present 
here Is that If the segment In question Is deactivated, 
(25) the Snv/ being checked may be Invalidated while it is 
being manipulated. This event could conceivably have 
disastrous results, but as we shall see in Section 3.4.2, 
the patch routine need only be used on segments which are 
never deactivated. The dump routine can do no barn if it 
accidentally uses an Invalid SDW, as it always only reads 
using the SDW, conceivably reading garbage but nothing 
else. Further, deactivation of the segment Is highly 
unlikely since the segment Is in "use" by the dump/patch 
rout Ine. 

If the ring SDW is invalid, an error 
code Is returned In block 5 of the flow chart and the 
routine terminates. Otherwise, the ring SDW is stored 
Into the ring k descriptor segment (wdseg) with 
read-execute-write access by turning on the SDW bits for 
slave access, write permission, slave procedure. (See 
Figure 2). Now the dump or patch can be performed without 
using the vulnerability to load or store each 36 bit word 



(2U) As an additional precaution, ring slave node 
programs run under the same access rules as all other 
programs. A valid SDW entry is made for a segment in any 
ring only If the user Is on the ACL for the segment. We 
shall see In Section 3.**. 2 how to get around this 
"securl ty feature". 

(25) A segment Is deactivated when Its page table Is 
removed from core. Segment deactivation is performed on a 
least recently used basis, since not all page tables may 
be kept in core at one time. 
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belnp: moved. Finally In block 8, the rfnp h SDW fs 
restored to Its original value, so that a later unrelated 
system crash could not reveal the modified SDW in a dump. 
It should be noted that while blocks 2, 3, 6, and 8 all 
use the vulnerability, the bulk of the time is spent in 
block 7 actually performing the dump or patch in perfectly 
normal ring J* slave mode code. 

3.U.1.2 Use of Unlocked Stack Base 

The Unlocked Stack Base vulnerability 
operates in a very different environment from the 
Insufficient Argument Validation vulnerability. Rather 
than running in ring 0, the Unlocked Stack Base 
vulnerability runs In ring J* in master mode. In the ring 
descriptor segment, the segment dseg is the ring 
descriptor segment and v/dseg is the ring k descriptor 
segment. (26) However, in the ring k descriptor segment, 
the segment dseg is the ring k descriptor segment and 
wdseg has a zeroed SDW. Therefore, a slightly different 
strategy must be used to implement dump and patch 
utilities as shown in the flow chart in Figure 12. (27) 
The primary difference here is in blocks 3 and 5 of Figure 
12 in which the ring k Snw for the segment is used rather 
than the ring SDW. Thus the number of segments which 
can be dumped or patched is reduced from those accessible 
in ring to those accessible in ring k master mode. We 
shall see in Section 3.»*.2 that this reduction is not 
crucial, since ring k master mode has sufficient access to 
provide "interesting" segments to dump or patch. 

3.»*.1.3 Generation of New SPW's 

Two strategies for implementation of dump 
and patch utilities were shown above. In addition, a 
third strategy exists which was rejected due to its 
inherent dangers. In this third strategy, the penetrator 
selects an unused segment number and constructs an SOW 
occupying that segment number In the ring h descriptor 



(26) Actually wdseg is the descriptor segment for 
whichever ring (1-7) was active at the time of the entry 
to ring 0. Mo conflict occurs since wdseg is a Iwavs the 
descriptor segment for the ring on behalf of v^hich ring 
is operating. 

(27) This strategy is also used with the Txecu te 
Instruction Access Check Bypass vulnerability which runs 
in ring k. 
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segment using any of the vulnerabilities. This totally 
new SDW could tlien be used to access some part of the 
Multics hierarchy. However, two major problems are 
associated with this strategy which caused its rejection. 
First the absolute core address of the page table of the 
segment must be stored in the SDW address field. There is 
no easy way for a penetrator to obtain the absolute 
address of the page table for a segment not already in his 
descriptor segment short of duplicating the entire segment 
fault meclianism which runs to many hundreds or thousands 
of lines of code. Second, if the processor took a segment 
or page fault on this new SDW, the ring software would 
malfunction, because the segment would not be recorded in 
the Known Segment Table (KST). This malfunction could 
easily lead to a system crash and the disclosure of the 
penetrator's activities. Therefore, the strategy of 
generating new SDW's was rejected. 

3.U.2 Forging the Non-Forgeable User Identification 

In Section 2.2.3 the need for a protected, 
non-forgeable identification of every user was Identified. 
Xli i s non-forgeable ID must be compared with access control 
list entries to determine whether a user may access some 
segment. This identification is established when the user 
logs Into ^4ultics and is authenticated by the user 
password. (28) If this user Identification can be forged 
in any way, then the entire login audit mechanism can be 
rendered worthless. 

The user identification in Multics is stored 
in a per-process segment called the process data segment 
(PUS). The PDS resides in ring and contains many 
constants used in ring U and the ring procedure stack. 
The user identification is stored in the PDS as a 
character string representing the user's name and a 
character string representing the user's project. The PDS 
must be accessible to any ring procedure within a user's 
process and must be accessible to ring k master mode 
procedures (such as the si gnal 1 er) . Therefore, as shown 
in Sections 3.U.1.1 and 3.U.1.2, the dump and patch 
utilities can dump and patch portions of the PDS, thus 
forgipg the non-for;4:eable use r identi f ication . Appendix E 
shows the actual user commands needed to forge the user 

(28) Clearly more sophisticated authentication schemes 
than a single user chosen password could be used on 
Multics (see Richardson <R1C73>). However, such schemes 
are outside the scope of this paper. 
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I den tl f I ca t ? on. 

Th!s capability provides the penetrator with 
an "ultlmace weapon". The agent can now undetectably 
masquerade as any user of the system Including^ the system 
administrator or security officer. Immediately assuming 
that user's access privileges. The agent has bypassed and 
rendered Ineffective the entire login authentication 
mechanism with all Its attendant auditing machinery. The 
user whom the agent Is Impersonating can login and operate 
without Interference. Even the "who table" that lists all 
users currently logged Into the system records the agent 
with his correct Identification rather than the forgery. 
Thus to access aCLZ segment In the system, the agent need 
only determine who has access and change his user 
identification as easily as a legitimate user can change 
his working directory. 

it was not obvious at the tine of the analysis 
that changing the user Identification would work. Several 
potential problems were forseen that could lead to system 
crashes or could reveal the penetrator's presence. 
However, none of these proved to be a serious barrier to 
masquerading. 

First, a user process occasionally sends a 
message to the operator's console from ring to report 
some type of unusual fault such as a disk parity error. 
These messages are prefaced by the user's name and project 
taken from the PDS. It was feared that a random parity 
error could "blow the cover" of the penetrator by printing 
his modified identification on the operator's console. 
(29) However, the PDS in fact contains two copies of the 
user identification - one formatted for printing and one 
formatted for comparison with access control list entries. 
Ring software keeps these strictly separated, so the 
penetrator need only change the access control 
I dent if lea t ion . 

Second, when the penetrator changes his user 
Identification, he may lose access to his own programs, 
data and directories. The solution here Is to assure that 
the access control lists of the needed segments and 
directories grant appropriate access to the user as whom 
the penetrator Is masquerading. 



(29) This danger exists only If the operator or system 
security officer Is carefully correlating parity error 
messages with the names of currently logged In users. 
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Finally/ one finds that although the 
penetrator can set the access control lists of his rlriK >* 
segments appropriately, he cannot in any easy way modify 
the access control lists of certain per process supervisor 
segments including the process data segment (PDS), the 
process initialization table (PIT), the known segment 
table (KST), and the stack and combined linkage segments 
for ring 1, 2, and 3. The stack and combined linkage 
segments for ring 1, 2, and 3 can be avoided by not 
calling any ring 1, 2, or 3 programs while masquerading. 
However, the PDS, PIT, and KST are all ring data bases 
that must be accessible at all times with read and v^rite 
permission. This requirement could pose the penetrator a 
very serious problem; but, because of the very fact that 
these segments must always be accessible in ring 0, the 
system has already solved this problem. While the PIT, 
PDS, and KST are paged segments, (30) they are all used 
during segment fault handling. In order to avoid 
recursive segment faults, the PIT, PDS, and KST are never 
deactivated. (31) Deactivation, as mentioned above, is 
the process by which a segment's page table is removed 
from core and a segment fault is placed in its SOW. The 
access control bits are set in an SDV,' onl v at segment 
fault time. (32) Since the system never deactivates the 
PIT, PDS, and KST, under normal conditions, the SDW's are 
not modified for the life of the process. Since the 
process of changing user identification does not change 
the ring SDW's of the PIT, PDS, and KST either, the 
penetrator retains access to these critical segments 
without any special action whatsoever. 



(30) In fact the first page of the PDS is wired down so 
that it may be used by page control. The rest of the PDS, 
however, is not wired. 

(31) In Multlcs jargon, their "entry hold switches" are 
set. 

(32) In fact, a segment fault is also set in an SOW when 
the access control list of the corresponding segment is 
changed. This is done to ensure that access changes are 
reflected immediately, and is effected by setting faults 
in all descriptor segments that have active SDW's for the 
segment. This additional case is not a problem, because 
the access control lists of the PIT, PDS, and KST are 
never changed. 



h6 



To leam how to use OCR and PDF C. <}n go to out 



3.'i.3 Accessing the Password File 

One of the classic penetrations of an 
operating system has been unauthorized access to the 
password file. This type of attack on a system has become 
so embedded in the folklore of computer security that it 
even appears in the definition of a security "breach" in 
DOD 5200. 2a-M <DOD73>. In fact, however, accessing the 
password file Internal to the system proves to be of 
minimal value to a penetrator as shown belov/. For 
completeness, the Multics password file was accessed as 
part of this analysis. 

3. '1.3.1 Minimal Value of the Password File 

It is asserted that accessing the system 
password file is of minimal value to a penetrator for 
several reasons. First, the password file is generally 
the most highly protected file In a computer system. If 
the penetrator has succeeded in breaking down the Internal 
controls to access the password file, he can almost 
undoubtedly access every o ther f I le I n the system . IVhy 
bother witli the password file? 

Second, the password file Is often kept 
enciphered. A great deal of effort may be required to 
Invert such a cipher, if Indeed the cipher Is invertlble 
at all. 

Finally, the login path to a system is 
generally the most carefully audited to attempt to catch 
unauthorized password use. The penetrator greatly risks 
detection If he uses an unauthorized password. It should 
be noted that an unauthorized password obtained outside 
the system may be very useful to a penetrator. If he does 
not already have access to the system. However, that Is 
an issue of physical security which Is outside the scope 
of this paper. 

i.k.'i.'l Tlie i'lultlcs Password File 

The Multics password file Is stored in a 
segment called the person name table (PNT). The PNT 
contains an entry for each user on the system Including 
that user's password and various pieces of auditing 
information. Passwords are chosen by the user and may be 
changed at any time. (33) Passwords are scrambled by an 

(33) There Is a major problem that user chosen passwords 
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allegedly non- F nver tib 1 e enciphering; routine for 

protection In case the PHT appears In a system dump. Only 

enciphered passwords are stored In the system. The 

password check at login time Is accomplished by the 
equivalent of the following PL/I code: 

If scrambl e_( typed_password) = pn t .user. password 
then call ok_to_logln; 
else call rejec t_logl n; 

For the rest of this section. It will be assumed that the 
enciphering routine Is non- Invert lb le. in a separate 
volume <D0W7it>, Downey demonstrates the I nver t lb I 1 I ty of 
the Multlcs piassword scrambler used at the tine of the 
vulnerability analysis. (3it) 

The PNT Is a ring k segment v/lth the 
following access control list: 

rw *. SysAdml n. * 

nu 1 1 *.*.* 

Thus by modifying one's user Identification to the 
SysAdmIn project as In Section 5.k.2, one can Immediately 
gain unrestricted access to the PNT. Since the passwords 
are enciphered, they cannot be read out of the Pf'T 
directly. However, the penetrator can extract a copy of 
the PNT for cryp tana 1 ysf s . The penetrator can also change 
a user's password to the enciphered version of a known 
password. Of course, this action would lead to almost 
Immediate discovery, since the user would no longer be 
able to login. 

3. It. It Modifying Audit Trails 

Audit trails are frequently put Into computer 
systems for the purpose of detecting breeches of security. 
For example, a record of last login time printed when a 
user logged In could detect the unauthorized use of a 
user's password and identification. However, vie have seen 
that a penetrator using vulnerabilities In the operating 

are often easy to guess. That problem, hov/ever, will not 
be addressed here. Multlcs provides a random password 
generator, but Its use Is not mandatory. 

(3it) FSD/MCI has provided a "better" password scrap^^^ler 
that Is now used in Multlcs, since enciphering the 
password file Is useful In case It should appear in a 
system dump. 
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system code can access information and bypass many such 
audits. Sometimes it is not convenient for the penetrator 
to bypass an audit. If the audit trail is kept online, it 
may be much easier to allow the audit to take place and 
then KO back and modify the audit trail to remove or 
modify the evidence of wrong doing. One simple example of 
modification of audit trails was selected for this 
vulnerability demonstration. 

Every segment in Multics carries with it audit 
information on the date time last used (DTU) and date time 
last modified (DTM). These dates are maintained by an 
audit mechanism at a very low level in the system, and i t 
is almost impossible for, a penetrator to bypass this 
mechanism. (35) An obvious approach would be to attempt 
to patch the DTU and DTM that are stored in the parent 
directory of the segment in question. However, 
directories are Implemented as rather complex hash tables 
and are therefore very difficult to patch. 

Once again, however, a solution exists within 
the system. A routine called set_dates is provided amonp; 
the various subroutine calls into ring which is used 
when a segment Is retrieved from a backup tape to set the 
segment's DTU and DTM to the values at the time the 
segment was backed up. The routine is supposed to be 
callable only from a highly privileged gate into ring 
that is restricted to system maintenance personnel. 
However, since a penetrator can change his user 
Identification, this restriction proves to be no barrier. 
To access a segment without updating DTU or DTM: 

1. Change user ID to access segment. 

2. Remember old DTU and DTM. 

3. Use or modify the segment. 

k. Change user ID to system maintenance. 

5. Reset DTU and DTM to o 1 d values. 

6. Change user ID back to original. 

In fact due to yet another system bug, the procedure Is 
even easier. The module set_dates is callable, not only 
from the highly privileged gate into ring 0, but also from 
the normal user gate into ring 0. (36) Therefore, step k 



(35) Section 3. J*. 5 shows a motivation to bypass DTU and 
DTM. 

(36) The user gate Into ring contains set_dates, so that 
users may perform reloads from private backup tapes. 
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fn the above algorithm can be omitted If desired. A 
listing of the utility that changes DTU and DTM may be 
found fn Appendix F. 

It should be noted that one complication 
exists In step 5 - resetting DTU and DTM. The system does 
not update the dates In the directory entry Immediately, 
but primarily at segment deactivation time. (37) 
Therefore, step 5 must be delayed until the segment has 
been deactivated - a delay of up to several minutes. 
Otherwise the penetrator could reset the dates, only to 
have them updated again a moment later. 

S.Jt.B Trap Door Insertion 

Up to this point, we have seen how a 
penetrator can exploit existing weaknesses in the security 
controls of an operating system to gain unauthorized 
access to protected Information. However, when the 
penetrator exploits existing weaknesses, he runs the 
constant risk that the system maintenance personnel will 
find and correct the weakness he happens to be using. The 
penetrator would then have to begin again looking for 
weaknesses. To avoid such a problem and to perpetuate 
access Into the system, the penetrator can install "trap 
doors" In the system which permit him access, but are 
virtually undetectable. 

3.**. 5.1 Classes of Trap Poors 

Trap doors come in many forms and can be 
inserted In many places throughout the operational life of 
a system from the time of design up to the time the system 
is replaced. Trap doors may be inserted at the facility 
at which the system Is produced. nearly if one of the 
system programmers Is an agent, he can insert a trap door 
In the code he writes. However, if the production site is 
a (perhaps on-line) facility to v;hich the penetrator can 
gain access, the penetrator can exploit existinr 
vulnerabilities to Insert trap doors into system software 
while the programmer Is still working on I t or while it is 
in quality assurance. 

As a practical example. It should be 
noted that the software for WV/MCCS is currently developed 
using uncleared personnel on a relatively open time 
sharing system at Honeywell's plant in Phoenix, Arizona. 



(37) Pates may be updated at other tines as well. 
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The software Is monitored and distributed from an open 
time sharing system at the Joint Technical Support Afrency 
(JTSA) at Reston, Virginia. Both of these sites are 
potentially vulnerable to penetration and trap door 
i nsert ion . 

Trap doors can be inserted durinp the 
distribution phase. If updates are sent via insecure 
communications - either US Mail or insecure 
telecommunications, the penetrator can intercept the 
update and subtly modify it. The penetrator could also 
generate his own updates and distribute them using forged 
stationery. 

Finally, trap doors can be inserted 
during the installation and operation of the system at the 
user's site. Here again, the penetrator uses existing 
vulnerabilities to gain access to stored copies of the 
system and mal<e subtle modifications. 

Clearly when a trap door is inserted, it 
must be well hidden to avoid detection by system 
maintenance personnel. Trap doors can best be hidden in 
changes to the binary code of a compiled routine. Such a 
change is completely invisible on system listings and can 
be detected only by comparing bit by hit the object code 
and the compiler listing. However, object code trap doors 
are vulnerable to recompi la tions of the module in 
ques t ion . 

Therefore the system maintenance 
personnel could regularly recompile all modules of the 
system to eliminate object code trap doors. However, this 
precaution could play directly into the hands of the 
penetrator who has also made changes in the source code of 
the system. Source code changes are more visible than 
object code changes, since they appear in system listings. 
However, subtle changes can be made In relatively complex 
algorithms that will escape all but the closest scrutiny. 
Of course, the penetrator must be sure to change a I 1 
extant copies of a module to avoid discovery by a simple 
comparison program. 

Two classes of trap doors which are 
themselves source or object trap doors are particularly 
insidious and merit discussion here. These are the 
teletype key string trigger trap door and the compiler 
trap door. 
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It has often been hypothesized that a 
carefully written closed subsystem such as a query system 
or limited data management system without programming 
capabilities may be made invulnerable to security 
penetration. The teletype key string trigger Is just one 
example of a trap door that provides the penetrator with a 
vulnerability in even the most limited subsystem. To 
create such a trap door, the agent modifies the supervisor 
teletype modules at the development site such that If the 
user types normally, no anomaly occurs, but if the user 
types a special key string, a dump/patch utility is 
triggered into operation to allow the penetrator unlimited 
access. The key string would of course have to be some 
very unlikely combination to avoid accidental discovery. 
The teletype key string trap door Is somewhat more complex 
than the trap door described below In Section 3.U.5.2. 
However, it Is quite straightforward to develop and insert 
with relatively nominal effort. 

It v;as noted above that while object code 
trap doors are invisible, they are vulnerable to 
recompi latl ons. The compiler (or assembler) trap door is 
inserted to permit object code trap doors to survive even 
a complete recompi 1 atlon of the entire system. In 
Multics, most of the ring ijupervi sor is written In PL/I. 
A penetrator could Insert a trap door In the PL/ I compiler 
to note when It Is compiling a ring module. Then the 
compiler would Insert an object code trap door In the ring 
module without listing the code In the listing. Since 
the PL/ I compiler is itself written In PL/ I , the trap door 
can maintain Itself, even when the c ompi ler I s recompi led . 
(38) Compiler trap doors are significantly more complex 
than the other trap doors described here, because they 
require a detailed knowledge of the compiler design. 
However, they are quite praictical to Implement at a cost 
of perhaps five times the level shown In Section 3.5. It 
should be noted that even costs several hundred times 
larger than those shown here would be considered nominal 
to a foreign agent. 

There Is also a variant on the compiler 
trap door called the initialization trap door. Here, the 
system initialization code is modified by the penetrator 
to insert other trap doors as the system Is brought up. 
Such trap doors can be relatively Invulnerable to 



(38) This type of trap door does not require a higher 
level language. Entirely analogous trap doors could be 
placed in an assembler. 
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detection and recompi la t Ion, because system initialization 
is usually a very complex and poorly understood procedure. 

3. U.S. 2 Example of a Trap Door in Multlcs 

To demonstrate the feasihility of 
inserting and distributing trap doors, the following 
object code change was made to check"^devlce_name to 
provide a generalized dump or patch facility. Figure 13 
shows a PL/ 1 program that performs essentially the same 
function as the trap door actually inserted in the object 
code. The listing of the actual trap door and its calling 
program Is in Appendix C. Check$dev ice_name is normally 
called v/ith three arguments, the third being a fixed 
binary error code. The trap door Is inserted at the point 
at which check$devi ce_name would have returned. The trap 
door looks at the 72 bits immediately following the error 
code that was passed by the caller. If those 72 bits 

match a predefined 72 bit password, then the fixed binary 
word to which ptrl points is copied into the fixed binary 
word to which ptr2 points. Since check$devl ce_name is a 
ring proce'dure, this copy is carried out using the ring 
descriptor segment and allows the caller to read or 
write any word in ring 0, Dump and patch utilities can 
use this trap door exactly like the Insufficient Argument 
Validation vulnerability. The 72 bit key Is used to 
ensure that the vulnerability is not invoked by accident 
by some unsuspecting user. 

The actual insertion of the trap door was 
done by the following steps: 

1. Change user Identification to project 
SysLI b . 

2. Make patch in object archive copy o^ 
check!?device_name In > ldd>hard>ob j ec t . 

3. Reset DTM on object archive. 

U. Make patch in bound archive copy of 
check$device_name in > 1 dd>hard>bound_componen ts . 

5. Reset DTM on hound archive. 

6. Reset user Identification. 

This procedure ensured that the object patch was In all 
library copies of the segment. The DTM was reset as In 
Section Z.k.k, because the dates on library segments are 
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check$devlce_name: procedure la, b, code); 

declare 1 code parameter, 

2 err_code fixed binary (35), 
2 key bit (72) al igned, 
2 ptrl pointer aligned, 
2 ptr2 poi nter al igned; 

declare overlay fixed binary (35) based; 



/* Start of regular code */ 



/* Here check$device_name would normally return */ 



if key = bi t_str 1 ns_cons tant_password 

then ptr2 -> overlay = ptrl -> overlay; 



return; 
end check$device_name; 



Figure 13. Trapdoor in check$devi ce_name 
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checked regularly for unauthorized modification. These 

operations did not Immediately install the trap door. 

Actual installation occurred at the time of the next 
system tape generation. 

A trap door of this type was first placed 
in the Multics system at MIT in the procedure 
del_d I r_tree. however, it was noted that del_dir_tree was 
going to be modified and recompiled in the installation of 
Multics system 18.0. Therefore, the trap door described 
above was inserted in checl<$devi ce_name just before the 
installation of 18.0 to avoid the recompi la t ion problem. 
Honeywell was briefed in the spring of 1973 on the results 
of this vulnerability analysis. At that time/ Honeywell 
recompiled check$devi ce_name/ so that the trap door would 
not be distributed to other sites. 

3.J|.6 Preview of 6180 Procedural Vulnerabilities 

To actually demonstrate the feasibility of 
trap door distribution, a change which could have included 
a trap door was inserted In the Multics software that was 
transferred from the SUB to the 6180 at MIT and from there 
to all 6180 installations in the field. 

3.5 Manpower and Computer Costs 

Table Ml outlines the approximate costs in 
man-hours and computer charges for each vulnerability 
analysis task. The skill level required to perform the 
penetrations was that of a recent computer science 
graduate of any major university v^l th a moderate knowledge 
of the Multics design documented in the Mul ti cs 
Programmers ' Manual <MPM73> and Organick <0RG72>, plus 
nine months experience as a Multics programmer. In 
addition, the penetrator was aided by access to the system 
listings (which are in the public domain) and access to an 
operational Multics system on which to debug penetrations. 
In this example, the RADC system v/as used to test 
penetrations prior to their use at MIT, since a system 
crash at MIT would reveal the intentions of the 
penetrations. (39) 

Costs are broken down into identification, 
confirmation, and exploitation. Identification Is that 



(39) It should be noted that v/hile the MIT system v/as 
crashed twice due to typographical errors during the 
penetration, the RADC system was never crashed. 



55 



To learn how to use OCR and PDF C. <}n go to out 



part of the effort needed to identify a particular 
vulnerability. it generally Involves examination of 
system listings, although It sometimes Involves computer 
worl<. Confirmation Is that effort needed to confirm the 
existence of a vulnerability by using It In some manner, 
however crude, to access Information v/Ithout 
authorization. Exploitation Is that effort needed to 
develop and debug command procedures to make use of the 
vulnerabilities convenient. Wherever possible, these 
command procedures follow standard Multlcs command 
conventions . 

All figures In the table are conservative 
estimates as actual accounting information was not kept 
during the vulnerability analysis. Hov/ever, costs did not 
exceed the figures given and in all probability were 
somewhat lower. 

The costs of Implementing the subverter and 
Inverting the password scrambler are not Included, because 
those tasks were not directly' related to penetrating the 
system (See Downey <D0V«7'i>). The Master Mode Transfer 
vulnerability has no exploitation cost shov^n, because that 
vulnerability was not carried beyond confirmation. 
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SECTION IV 
CONCLUS IONS 



The Initial Implementation of Multlcs is an Instance 
of an uncer t If ! ed sys tem. For any uncertified system: 

a. The system cannot be depended upon to 
protect against deliberate attack. 

b. System "fixes" or restrictions (e.g., query 
only systems) cannot provide any significant improvement 
In protection. Trap door Insertion and distribution has 
been demonstrated with minimal effort and fewer tools (no 
phone taps) than any industrious foreign agent would have. 

However, Multlcs is significantly better than other 
conventional systems due to the structuring of the 
supervisor and the use of segmentation and ring hardware. 
Thus, unlike other systems, Multlcs can form a base for 
the development of a truly secure system. 

k.l Multlcs is not Now Secure 

The primary conclusion one can reach from this 
vulnerability analysis is that Multlcs is not currently a 
secure system. A relatively low level of effort gave 
examples of vulnerabilities in hardware security, software 
security, and procedural security. While all the reported 
vulnerabilities were found In the HIS 6U5 system and 
happen to be fixed by the nature of the changes in the HIS 
6180 hardware, other vulnerabilities exist in the HIS 
6180. CiO) No attempt was made to find 




We have seen the Impact of Implementation errors 
or omissions In the hardware vulnerability. In the 



CiO) In all fairness, the HIS 6180 does provide 
significant improvements by the addition of ring hardware. 
However, ring hardware by itself does not make the system 
secure. Only certification as a well-defined closed 
process can do that. 
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software vulnerabilities, we have seen the major security 
Impact of apparently unimportant ad hoc designs. We have 
seen that the development site and distribution paths are 
particularly attractive for penetration. Finally, we have 
seen that the procedural controls over such areas as 
passwords and auditing are no more than "security 
blankets" as long as the fundamental hardware and software 
controls do not work. 

k.2 Multics as a Base for a Secure System 

While we have seen that Multics is not now a 
secure system, it is in some sense significantly "more 
secure" than other commercial systems and forms a base 
from which a secure system can be developed. (See Lipner 
<LIP7I|>.) The requirements of security formed part of the 
basic guiding principles during the design and 
implementation of Multics. Unlike systems such as OS/360 
or GCOS in which security functions are scattered 
throughout the entire supervisor, Multics is well 
structured to support the identification of the security 
and non-security related functions. Further Multics 
possesses the segmentation and ring hardware which have 
been identified <SMI7I|> as crucial to the implementation 
of a reference monitor. 

4.2.1 A System for a Benign Environment 

We have concluded that AFDSC cannot run an 
open multi-level secure system on Multics at this time. 
As we have seen above, a malicious user can penetrate the 
system at will with relatively minimal effort. However, 
Multics does provide AFDSC with a basis for a benign 
multi-level system in which all users are determined to be 
trustworthy to some degree. For example, with certain 
enhancements, Multics could serve AFDSC In a two-level 
security mode with both Secret and Top Secret cleared 
users simultaneously accessing the system. Such a system, 
of course, would depend on the administrative 
determination that since al 1 users are cleared at least to 
Secret, there would be no malicious users attempting to 
penetrate the security controls. 

A number of enhancements are required to bring 
Multics up to a two-level capability. First and most 
important, all segments, directories, and processes in the 
system should be labeled with classification levels and 
categories. This labeling permits the classification 
check to be combined with the ACL check and to be 
represented in the descriptor segment. Second, an earnest 
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review of the Multlcs operating system is needed to 
Identify vulnerabl n ties. Such a review is meaninp;ful In 
Multlcs, because of its well structured operating system 
design. A similar review would be a literally endless 
tasl< In a system such as OS/360 or GCOS. A review of 
Multlcs should Include an identification of security 
sensitive modules, an examination of all Rates and 
arguments Into ring 0, and a check of all I n tersermen t 
references In ring 0. Two additional enhancements v/ould 
be useful but not essential. These are some sort of "hir;h 
v^ater marl<" system as In ADEPT-50 (see Weissman <VJFIG9>) 
and some sort of protection from user written applications 
programs that may contain "Trojan Horses". 

4.2.2 Long Term Open Secure System 

In the long term, it Is felt that Multics can 
be developed Into an open secure multi-level system by 
restructuring the operating system to include a security 
l<ernel. Such restructuring Is essential since malicious 
users cannot be ruled out in an open system. The 
procedures for designing and implementing such a kernel 
are detailed elsewhere. <AMn73, BL73-1, BL73-2, IJP73, 
PR 1 73, SCH73, SCH 1 73, \4M7k> To briefly summarize, th(- 
access controls of the kernel must always be invoked 
(segmentation hardware); must be tamperproof (rinp 
hardware); and must be small enough and simple enough to 
be certified correct (a small ring 0). Cer ti f i ab i 1 1 ty is 
the critical requirement in the development of a 
multi-level secure system. ESD/MCI is currently 

proceeding v;l th a development plan to develop such a 
certlflably secure version of Multics <ESD73>. 
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APPEriDJX A 
Subverter Lfstinp:; 



Thfs appendix contains llstin?:s of the three program 
modules which make up the hardware subverter described in 
Section 3.2.1. The three procedure seg:ments which follow 
are called subverter, coded In PL/I; access_vl ola t lons_, 
coded in PL/ I; and subv, coded In assembler. Subverter 
is the driving routine which sets up timers, manages 
storage, and calls Individual tests. Access^ ' ' 
contains several entry points to implement specific tests. 
Subv contains entry points to implement 
must be done in assembler. 



free 
_vl ola t ions_ 
:i f i c tes ts 
those tests which 



The internal procedure check_zero within subverter is 
used to watch word zero of the procedure segment for 
unexpected modification. This procedure v/as used in part 
to detect the Execute Instruction Access Check Bypass 
vulnerabl 1 1 ty. 

The errors flagged in the listing of subv are all 
warnings of obsolete 6U5 Instructions, because the 
attached listing v/as produced on the 6180. 
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APPENDIX B 
Unlocked Stack Base LJstlnp; 



This appendix contains listings of the four modules 
which make up the code needed to exploit the Unlocked 
Stack Base Vulnerability described In Section 3.3.3. The 
first two procedures, di and dia, implement step one of 
the vulnerability - Inserting code into 

emergency_shu tdown. 1 Ink (referred to in the listings as 
esd.llnk.) The last two procedures, fl and fla. Implement 
step two of the vulnerability - actually using the 
inserted code to read or write any 36 bit quantity In the 
system. Figure 9 In the main text corresponds to di and 
dia. Figure 10 corresponds to fl and fia. As In Appendix 
A, obsolete 6*t5 Instructions are flagged by the assembler. 



W 



99 



To leam how tD use OCR and PDF C. on go to our 






e. 
u 



m 
a 



r 



X 



(« 

5 









M 

3 

a 

3 






§ 
(A 



• 

c 
•o — ts 
^ a 

Z B 0> 
lii M eo 

u. a. 

o ■*' 
13 o ■<* 



H- — •«* a 

M Z O E 



Z > C W 
O A O C 
M O 

H- -O 'O -• 

M — -< O 

a. a a 

& e o 
o u o 



c 
•o 



a 



o 

'to « 

3 r 

£ U 

M 
I 



o — 

-o m 

% s 

r -» 

5 ■* 

>• ^ 

u o 

c 

• c 

(X » 

■ 3 

9 C 

C *- 

-' c 

£ • 

4- ■ 

' s 



J! S 






V 



o 
u 



a 

M 



a> I. 
(M a 



& iT • 



c « 

9 r 

• — 

c > 

— I. 



C 
> 



c 



c 
o 
o 

'5 *- 

a to 

a a •> 
t, a c 



o 



M 

• <• 
O I TJ 

« to • 

— • X 

A 9 91 ■» •^ 

e (* a to 

to ~ ot a • 
u c -o 

• • -< a o 

I. 'O I. M U 

3 



a to 



c c 

• — 

CO 
c • 

!-• 

IE to 
O 
o — 



'- c 
•O -' 

9 

c u 

•H to 

— « 
10 to 

lil 

lO +. 

n " C 
•— -^ -< 

C 
to to C 

-< a-< 

» 
- CTJ 

t, to • 

to a K 

a — -• 

> I. to •• 
C to O C 

to C M to 
C • to a 

• •. 

Ill e a 

— -t > > 
to T> ■ e 






01 

to to 

• 

oio 
I 

O II 

on 

c 
-< • 

CD 

e 
— u 

M to 
U — 



t 



u c 

c 

•» 3 
— to 
<« O 

u c 



> 

u 

e 
• 
a 



c 

9 

■ 
3 
C 



C 

8 

a 

M 









« 
■o 

e 
u 



2 



c 

X 

e 

to 
3 
C 
M 



U 

c 
• 

I. 

9 
■ 

i 



a 
ot 

9 
(A 
«• 



9 

n 
I 

n 

c 






u 



to I. 

C M 

to -^ 

M n 
c • 
— I. 

• MM 

O 
jC-to'C.' 
M 3 to 



o -« 

to to to 

3 

■ e • 

a c 
c o « 

e • 

C N M 

a n 
• I. 

M to to 

u •e 

la 

• to » 

V to •V 

9 

> 
■ 



TJ — 

c m 

m u 





to O A 








• >t 








M 80 








to > 








to » 






•* 


o ^ •> 






b 


> t4 ^ 






a * — 






c 


to 






c 


• • • 






9 


5£^ 






o 


■ to ■ 






to 


> 






O 


— ■ — 






at 


• • 

k O (. 






s 


s*-s 






r 


(0 to (B 






to 


- M 






o 


ttto -. 
M to to 






N 


«- O 






« 


ID a — 






9 


-• 9 






■o 


-OHO 






O 








u 


■• -^ 


ft«p< 






^ 


•o 




«<• 


M O 


c 




•^ 


OT> 


• 


s 



I. 
a. 



I. 
o 



^(Mm«U\>OKa9IOT4(Mm«U\>OKeOOlOv«(M 
^ ^ v« v« v« v« ^ ^ ^ ^ CM CM CM 



lO * Ift >0 K eo 0» 
CM CM (M CM <M CM CM 



100 






To leam how to use OCR and PDF C 



on go to out 





vO 








W 








« 








(«t 








ro Sk 








M M 








<0 






M 


(M M ^- 






Ui 


(M WCM 




►. 


u 


in cvi 




(M 


z 


ao K N in 






UJ 


^ ee in K. CM (Hi m 




t- 


Of 


t4 N (M in •^ 


t4 


(V 


Ui 


>a h> CM in in 






ta» 


^•.«.«.CM CM»-«V» 


■»• 


in 


^ 


• « • •■ • 
in(.LL.<0«CM(.IA 


•s 


CM 




1-1 CM t.(M 1-1 


M 


in 


a 


>o<«<« >o 


t4 


CM 


z 


«. *.«».». 


• 




4 


It — — — • «— • 


•• t4 


♦• 




CUUUI.— (.UC 


W 


m 


M 


«OU M -O 


•a*- 


i. 


UI 


^ ^ ■« ♦• ^ 


• 




t- 


» — — -?• •— • 


— c 


■" 


3 


U)(«(S(«M— MMW 


• 


S 


Ol 


c c c « c 


ceo 


e 


M 


>0 L.i.l.iO-<lO(.^ 


C.»< 


c 


DC 


« • 1* 4- • 


• 


• 


H- 


— *.*.^— •^ — ♦• — 


•^ — 


■^ 


'»-• 


UKKKUCUMU 


M U 


c 


«t. 


Tja«ai>~<T3aTi 


• ■« 


•^ 



a 

a 

I 

a 



a 
o 
o 



a. 



Si 

M 



n 
e 



o n 



^S 



O a 



Ui CM 
X CM 



U OK 
_| vtCM 



Ui a O) 

ZCMCM 













-- 










s 






















o 






a a 










-^ 










>• 












«» 






* « 










'^ 










(. 












(«. 






h- h- 










u 










■^ 










Ul 
0. 


«4 






4< 1-1 

e c 










e 

3 




u a CM 
•^ a v4 




c 
•l 






U t4 O 
O <Da 
_l a CM 




> 




> 


>• 


a a 


• 


• 


> 


_ 


e 

4> 




■♦-■ 






X 

• 






a a 

a a 
a a 




<C 
< 


• 1. 1. 


(. • ■ e f. e 

*• K X -^ ^ -1 

e -4 -< o e o 

• •• *- a « a 


^ a 


•^ 
E 








a 


• 

5 


• 

z 
< 




Ui CO « 
Z «4 CM 

M 

-1 


























wa 


o 


(. 


19 


2 






























;;» 


in 


5 


s 


s 




























a 




M 


0. 


0. 








< 

d 


U 

-# 


*• 

e 


e 


u u 

■»- -^ •^ -« 
e*- et- 


u 


e e 






— CM ^- 


a 


M 

Z 


X 


• 


LOC 
)00057 
100161 


• 


H 


s 


n 


■n 


na « 


s 


^1 




*• 






%^^ 


8 


>.% 


>• 




o 


of 


o 


M 


« 


MOM 


o 


M O 


M 


M 






m 




*• 


m '^ 


(B 


0> 




M 

-1 
M 


o 




e 
e 
u 


C 

o 
u 


e*- c«- 

3 3 

u a u n 


C 4- 

e 3 

u a 


e 
o 
u 


C 

e 
u 


• 
z 




> 




3 
• 


• 
a 1. 


O 

Ui 

-1 


s 

0. 


Ui lO h. 
Z •^ CM 
M 


u 


CM •» aio n 


•» CM O 


o 


1-1 


o 


• 






O 


3 


-1 


(/> 


-1 


% 


3 


.S^^^S 


3 


^3 


g 


s 


M 


s 






W 


W 


3 


a 




Q 




H> O 


o 


o 


a a 


a 


a o 


• a 


a 


< 


a! 






•o 


d£ 




H- 




o 




Z o 


o 


— 




a 


a a 


H- a 


o 


U 


19 


* a 


CM 


L. 


< 


y _ 








Ui a 




^ 


a a 


a 


o o 


X a 


a 


M 


o 


e ^- CM 


O 




Ol! a 


o 

3 
Ul 




M 

I 

Z 

M 

o 


;;{ 

Uw 
Uw 

o 


z 

Ul 

< 

vt 

UJ 

< 












Ui 

z 
o 
o 

o 




-1 
OK 

e 


a. 

(A 

M 

Z 
H- 


•^ CM 

-1 

^ a 




• 

M 

•' 
W 


Of 3 

o o 

is' 
»i' 


■o 

w 

H- 
Z 
Ul 


u in a 
o iMin 

-•S3 

a a 
a a 

Ui in lO 














M 




2 


o 
Ik 


• 


CM 
CM. 


3 


-1 a 


-1 


< 


Z •^ CM 




o 

Ul 

Q 












a. 




»- 




H- 




•^ 


<« u 


«l 


(A 


-1 


UJ 














X 

Ul 




z 
o 








V 


§ 


z 


Ui 

-1 






















u 


Z 






• 


Ul 


Ui 


CD 




"a 




g 










t 


% 




>• 


Hi. 


^ a 


* 


b 


!<» 


s 


a 




Ul 
■9- 

•a 

z 




o 










a 


a 




m 


^ 


» 


s 


? 


*-« 


UJ 


s 


OK* 




< 
-1 










s 


'^ 




'o 

Ul 


M 

3 


A 




Sj 


SJ 


12 


» 


n t4 m 
_l a ^ 












w 


4 




af 


a 


o 




t. 


M 3 


M 


-1 


a a 


UI 
U. 










1 


o 




3 


$ 






a 


g*t 


§ , 


* 


a a 

a a 




Ul 

a 






+- 
• 




<0 


Ul 

a 




u 

Ul 

a — 


Ui 




c 


1 


-1 '^ 

-1 K 


-1 1 


Ol! 
Ul 

H- 


Ui •^in 

Z CM 






(/> 


a 




•»■ 




a 


lA 


L. 


• 


< 


«• 


*• 


c 


U. 1 


•^ •• 


2 


M 




Ul • 






"•■ 




a 


Ui 


O 


Ui (. 


a! 


L 


0) 


• 


*■ 


1 


: 'J 




fr-4 


z v 

S8 


■ 
e 
u 


M a 




1^ 


• 


za 

z • 


o 


a e 

S3 


Ui 


n 


^8 


S 





101 



To leam how to use OCR and PDF C 



m go to out 



c — 

•«< a, 

s - * 

or a e 

■* e I. — 

c. ♦- -> 

C 3 • 

•^ *- M 1> 

• • «• 

M c e • 

c u 

o e o 

« u - c 

3 • — • 

I. ♦- • ♦- 

♦• c c c 
n ' 



a 



e ■ 

c — ■ 



— ♦ 



e 
o 
a 



a 
e 
o 
u 






CO -< 

t 3 : 






4- c e 



e 
a 



9, B 



c 
(« 
;^ 

A 

■a 

•^ 

3 
(. 3 

a £ 

A ^ 

c 

-<^ 

•O TJ 

I* 

c 
•o . 

I* 

CM 
• <o 

3 
A 

ZN. 

z -^ 
ON, 

u. 
o 

u> 

z 



MZ O 
M O lli 
-I I/I 
O 3 
>-UJ 
-I -I I/I 

moa z 
XX o 

UIIK M 

MM & 

«< O 



e ro 



o 

a 
I 

c 
c 

3 
«B « ■^ 
•4 -^ • 
•O TJ «. 



0) e 9 3 



M 

c 
♦• -^ 
w I 

e e 

Tz 

m m 

X 1. 



e e 

a a 

c'c' 



t J, c «- 

• jI" a a 

— c. c — 

— v^ -^ w je 

2 a— u 

• on 

at jc « 4- 4- 

-« M •» i» 

<* « • c 



O M O •- C 

4- '^ MO 

' • e 4- 

C > 1. • . M 

3 13 3 3 






C 
C 

• e 

4- C 

-• (.«• 

c ft e 
- cu 

C L 
e • e 
o £ e 
•o 4- -o 
a a 

« M • 
(. • C 

♦- • 4- 

<. 

o • o 

M £ M 
3 3 3 



» » 



•^.» 



■» o -^ M o o -4 a e 

■•aaoaaao^a a 
L <L )« A -ocAwnia A 



— c 

a a 'o 

u e « 
la z 
■o *- 

— a.*- 

O « T] 
M • 



a 

•-4 

■o 



-H (M ro ■» 



c 
aaaaaaaaaa ab 

(TjQA — AOAaWaMO M3 

— •!«•••)••••» a^- 4- • c 

w 
e 

«4 
I 

e 



m vO N. eo (>« o t4 



u ^ • 
• • eo 

— ■* f>l 

ja K 

o e -H 

|o 

■a -^ 

- VI ■* 

O L N- 

• N 

» to 



OT4(viro^m>Sh>aoto 



e a a»- 
o o A o 






■o 

X 



T4Mro-»in«P(><o 

N(M(SI(M(MCgN(SI 



I (M (M o (SI (SI ( 



(si(si(M(sirooF>.(si(sio(si(si(M(Mo(si(siee csii 
u\inu\u\foinmuMnKu\u\ifiu\u\u\N.(si^ k( 
nsoro(sirO(si(sira(siromfO(simrofora>Sh. rO' 



at z > 
•4 -I N 
_ < o 



s 



•• Ul 
>• Of 
CO o 

o a; 

Ul Ul 

-I -I 

CO oo 

zz 

til Ul 
M V> 

(/i (/> 



(Sic3o(sio(sienov0^o(si(si eo (si h- o 
(M(siiD^(sifon(simi>ieou\ e a e in h> a 
oooKKaaaaoaeaeaeoKo 
oeaNKaoa^aeeaaaeeKa 
aooKKeaaaoaoaaaaoKe 

>S(si(si(si(si>s sOsOo(sisoa(si>StS e 



e e o ^ 

e (SI -rl (SI 






O (SI 



• « < 



e ^(Si fo 4' in 10 K » 'H (sifo ■«' in so K e ^ M MM .» in 10 K a e ^ (SI 

o o C9 e o e e e 'r4 ^ ^ ^ w ^ t4 w (SI (SI (SI (SI (SI ni (MM (si fo *o ro fo 

000000000000000000000000 eooeo 

ooeoeoooeooeoeeeeoeoee^e oeeeo 

e o e o e e o o o a e o o e e a e o a a e o oeeeo 



-I 
< 

Ul 



uoououoouo 



102 



To 



jw Id use OCR and PDF C 



on go to out 



(9 



O 



X 

c 






m 


a e — 


«■ 


<m 














o 


■•) >■ « 


• 


m 














C9 
lli 

s 

< 


-O M 1. 


1. 


c 














^ lAK^^o .fao 


* <Oa 


« lA O 














M 


a'H4'a(MU\fOiAaoc\lU\Kao 


IMA a a 


lA lA a o 








o a 




o 


g 


os^oo^^^aao^^aa 


^ ^ s a 


t4 ^ O O 








a o 




a 


o e o 69 o d o 


a 


s 








a a 




o 




o e> ^ ooT^^NoaoUMnao 


in ^ a a 


lA ^ « O 








a a 




a 


>" 


oe toaoh-in^'aaa.^.faa 


4' lA a a 


4'K lA a 








o e 




o 


a! 


ea^oav4^^0aa«4^aa 


^ ^ a ea 


^<«4 ^ a 








a a 




o 




KtM.fv^amK^atOh.csi.^oio 


CM 4' a a 


N fO K o 








^ a 


g 


^ 


Ul 


>siA a m 


U) lO lA a 








a a 


fO 




oo^oa^^T^aaa^^aa 


-rt ^ a a 


^ ^ ^ a 




M 




a a 


x 


o 


oe 


a e a a a a a 


a 


o 




o 




a a 




o 


e 


aaioaa«N4'U\aaah>4'a 


a Km o 


CM K CM O 




o; 




a a 


z 


e 


IL 


aaaaa^.«tO-»oo«4'OiOa 


^ mm a 


Ttm.» a 




o 




a a 


o 


o 


M 


a o»<t4»< o»<»< 


a ^ ^ 


a ^ ^ 


i3 


X 


vt 




M 




as 








X 


a! 


^ 




V> 




o 




« « o » 


• • • « 


« 


Ui 


u 


• • 


Ul 


m 




in«j iniAiO mm m m us lO m m m ift 


« « « in 


M • OI «' 


« 


$e 


3 


m 


8f 


in 








J 


M 


m 




X 




Z 


CMio^u\>Sh-e^eMio^il\«DKa 


CMM « lA 


•te <• ^ (M 


4 


o 




<oS 


w 


lA 


M 


nnnnnn** ■**■*■*■*■*>*> 


lA m IfllA 


m u) u) u) 


z 


a. 


a: 




10 


ta. 


aaooaaaaaaaeaaa 


a o o o 


o aa o 


at 




M 


a. a 


-1 


a 


lli 


ooaooaaaaaaoaao 


a oe a 


a a OS 


tti 


a 


« 


a a 


4 


a 


O 


oaoaaaaoaoaaaaa 


a a a a 


am»m 


►• 


< 


O. 


a o 


«■ 


a 




e»oaoooooo^ooooc9 


o a o a 


o o o o 


X 


te 




o o 


Of 


a 


Ul 








lli 


t- 


ut 




bf 




* 












a. 




»- 












o 
z 


s 


>> 




z 





103 



To leam how to use OCR and PDF C 



on go to out 



o a 



3 

• 

M 
I 

— >. 
^ I. 
K 4- 

• e 
*- • 



vOr» 4' -f C3 4' 
a o o a N N < 



S 



<0 

Z 



aroc3ac30v4aKrO(OooK< 



(Off«ffffllCSICSI«a(9<9ff«ffff 






lOU 



Tc 



V to use OCR and PDF C 



on go to our weDstlo 



|l<>lftl>.M»<»<l>.OIMOO*OlMfteslvO*lft»RO(000000000 

.00* *..0i«« = o = 0*5335; jHOfjjjoooooooaoo 



e<9 a e \0 a 



a: 

z ut 

S 3 

t- HI 

t X 

§ iii 

O ~l 

u. m 



o 

OB 






o 

OD 



iaaaah>a*o< 



iU\^ « mm Ma* <0<0 »■*■***■*** 

auBoo»<»<vO^*o*lftj«'H 0000000 
.o5oo*oMlBvO.»4.*^-m****.*.*-* 

10000»<»<»<»<00«4»<07JOOOOOOO 

.oooof«>r>.o»oo*oN^*ooooooo 
>ooo*ol<>.»ia*mvO*vD****-*-*£-» 



I N < 



O ^ «M »■» * m VO K O ^ M » * m VO K O jj R{ W * jg « »«; O |H N » J* » VO 
0000000000000 00 ooooooooooooo oo.o 

ooooooooooooooooooooooooooooooo 
0000000000000000000000000000000 

105 



To leam how to use OCR and PDF C 



on go to out 



(- 
• 
o 
m 

e 

« 

c 



^ t4 <e h. ^ 



M N n (O i»> u\ 



Ui 

o 

z 

Ui 
Of 

u. 



u 

c 

3 

o 
(/J 



CO 4Q 01 O <d 10 

-^ -^ •^ •^ -^ -^ 

•o n -o o ■© •© 



i;; 



o 












oc 












o 












V 












-1 








k 




o 








• 




■c 








■^ 




UI 








'^ c 




(/) 








w-^ 




M 








(.CO 




< 








^ -• a'^ 




vt 


^^ 






<^c'c'2 




o 


o 


■^ 




■f 1 1. •-«. 




w 


A 


K 




-« 3 3 1 




t- 


E 


• 


n 


1'^ '^ -o 




-1 


>. 


'^ 


-^ 


o • « « 




i 


t/> 


• 


T> n (L (L x 












<A 












at 








^ 


CM lO o o 

in CM in n 


Of 




• 








-1 




3 








< 



u. 
o 



106 



To i^afO [jOW to use OCR and PDF C 



on go to out 



» 
e 



X 

■o 
a 

a 



c 



e • 



o 



m « a 

.4 ♦• ^ 



•I «. • 

» a ■» 

3 . ' ? 



01 



» en 

O — WW 






o 



... -^ -^ t 

u n II a 



fcii 



)- a 



a. X •» ■^ " > 

-« •«. > ♦■ *- 

-< • 4- c -o e a 
• e c.-« -v 

1^ O • V C W'^ ■^ t • 

u, ol •« a MX D >s A'^ t. e 

Z-So z • ♦- XC.+-C. I_ »< « 

wxoS 5 *■ - »*• a- ►• axj |«* 4- 

J -< M o e o « a fo X c «■«>«>; ^ 

z>.eM -• o utB — Eao'»-«'»-o'»-'»-*'« 

o a o c *• 

M e u 

h- tj u -^ o > 

1-4 •^ -^ O C 

0. a a uj 

O 6 S — » 



e 
c 

"l 

>> 
w 

e 

& ;- 

^ r 

■ M 







> 






& 


o 

4- 






L. 






S 


■ 






• 






3 

e 


e 






a^' 








a 






« 






♦• 


' o 


» 




C 

a 






e 

s 


k 


w 




M 






a 


■ 


^ 










• 


*■■ 


•^ 




♦• 






M 


• 


a 




e 






^ 


. 






L 






s. 


* 


*- 
r 




i 






* 


u 


e 




e 






V 




i» 




♦• 






•» 




m 




e 






^ 


M» 


9 




• 






• 


«« 


C 




■ 
a 






■o 

e 


« 
««•» 


e 




• 

M 








f9 


> 




*- 






a 


» o 


h 




9, 






i 


8' 


c 












•^ » 


liJ 




» 






•» 


*• a 


» 




V 






ic 


X 


X 




i 

e 
u 

•k 
a 

M 

: 

• 






e 

• 
e 
s 
o 

♦• 

3 

> 

• 
a 


M 
-H ► 

• »4 

•• • 

e M 

e 
» > 

■ > 

— a 






& 


•» 




i 


~i 






•^ 


«« 




m 


•«» 






M 


a 




a 


•► c 












3 


i^Z 






•k 


s 




•» 


CMC 






t 






1 


C U 






t 


•» 




^ 


• -V 








• 






a m 
e M 






t. 


e 




c 


^ " » 






^ 


u 




^ 


a 






a 






a 


o a w 


•«• 




a 






a 


a-« — 


k^ 




• 


1 




• 


♦• 


o 




«.l 






«, 


l = t 


X 




■^ ■^ 






^ 


4- ««> 






• 


m 




8. 


u 


•» 




as 


e 


• » 


O -4 


a 


•» 


1 


u 


e 


J 


C*> 


X 


a 


an 




c 




H • 


•^ 


s 


9* 


^ 


3 


2 


• £-m 






c ••> 




^ 


c 


^ — 


^ 


s 


-4 • e 


(• 


• 


•^ 


• (« 






t'O'O 


u 


c 


c 


■O H U 


> 


11 


e 








©•^ 


L. 




- o 






Ml aM 


O*- • 


^ 


X 








■o — 


« 


C 


•^ ' 


• •• 






e « 


♦• 1^ •» 


• 




e 

s 

m 
e 
u 


t 

• 




• u 


•^•^ m 



»4«M»0*UNvfils.«<no»4«>J»0.«'UNU»K«ff>o»4«MW*lftU»K«ff>0^y«*lft<0 
^"'*^^»4»4»4»4»4»4»4»4«MesHM«HM«HM«HMN»OW»0»»OW»0 



h. • (>« o 

ro « ro * 






107 



To leam how to use OCR and PDF Comprdsslon go to out 








K ft a> 








m m 








o> 






w 


lO m «> 






Ul 


m a« m<0 91 




w> 


o 


foao ram 




» 


z 


CM « (»> « o> 


» 




Ul 


w Naot w« »•»• 


M 


2 


(^ 


fo *of4 ma N *o 


v4 


fO 


Ul 


o 10 n « • 


♦• 




u. 


ra «.».». M fo w •• lo » 


*• • 





$ 


• • • N*> • N 


^ • c. 


» 


accco> •<0c« 


• "•«._ 






(M ^ ^ L. ■<> M ^4 


N » » 





a 


K Ite K N. 


'H N 


n 


at 


*• ' ♦• ♦• ^ ♦• «■ *^ 


o N 




< 


• — •>>-•• ••<>•• 


N W-,— 


♦• 




CUUUC(.— CUCC 


U U 


• 


(/> 


"•tt-o/o o w^ 


•- •• U Tl 


L. 


Ul 


^ ^ ^ tj '^ .^ ■^ 


• • 




»- 


• — — -'•• •— •• 


t c. — , — 


*• 


3 


c c c n c 


«».gg 


g 


1-4 




M» C. C. 


' C 


« 


• • • ^ ' • " 


• • 


• 


»- 


— V'^'^— — •^ — ■^ — — 


— — •^ •^ 


■^ 


»- 


UKKKUUCUKUU 


u u » » 


e 


< 




v v • • 


' (^ 



a 



01 

I 

o 

at 

c 



»S3 



O '^ e 
_l OM 



z cy<n 



o ^- * 
o m in 



: N n 

















^ 


















. s 






















O 










o 


















•^ 










>» 












ft 










«« 


















'^ 










L. 












(«. 










h. 


















u 










■^ 


10 








Ui 

a. 

>• 












t4 
(.A 


c 


c 














c 

3 
C 




tatic 

31 <> 

12 




C 

•r 


•• 




LOG 
00 031 
00 0152 




t- 


TS 


>> 


>. >. w^ .^ ■V *- 


• 


§ 




. 


_ 


> 


>> 


•^ 
■^ 




(/> 






• 


*• 






4 


• 1. 


c 


c 


^ 
•^ 


C • 
0-4 


c 


c c 
c e 


'^ 
•^ 




• • 1. k 

« « c c 


2 








s. 

ID 


• 

X 

< 


• 

X 

< 




Ul m h. 
z CM ro 




a 


••- 


« 


« 


• 


A 


a»- 


a 


• a A 






~ 


• 


• 


a 










J 






































M •» 


o 


1. 


(A 


(A 










































*• N tO 


e 


Q 


2 








vt 
vt 


































• N 




■^ 


Qf 


ae 








































a 




M 


(^ 


0. 








t 
-i 
u 

Ul 




*- 
c 


*• 
c 


c 


U 


'^ C 4- 


u 


• 




♦- 
c 


c 


c 


c 






•-<« 


o 


4- 


X 

t^ c 


53 

X 


• 

s 

o 

Of 

a. 


LOC 
000030 
000116 


• 

z 


s 






n 


n 


s 


S5 


s 


m 


s 




a 


a 










O CM ra 
A ro «4 


■ 


1. 

>- 3 


>• 
a 


o 


of 


o 


M 


lA 


M 


o 


a Iff 


o 


M O 


(0 




M 


M 


M 


M 






e 




^ 


(0 ^ 




o 
1- 


♦- 

3 


C 

o 


C 

o 


O 3 


C C4- 
« O 3 


O 3 


• 




C 

o 


C 

o 


C 
O 


C 

e 






to 




3 


• 
p 1. 

'Si 


a 
u 

-1 


Ui o «D 
Z CM f*> 


* 


(/> 


a 


u 


u 


U 


(0 


a u 


IS 


U (0 


a 




u 


u 


u 


u 


• 
z 








«>• 


M 




u 


^ lO •» o in 




CM 


(M o 






o 


<0 ^ (M 


o 


• 






o 


3 


-1 


M 


-1' 


i 


3 


• v4 


sss 


3 




3 O ^ 






g 


h> 


ss 


M 


s 






lA 


Ul 

a: 


3 


X 




o 
o 

CO 

M 

X 

»- 




^ a 


o 


a 


g 






o 


a C3 




• 


a 


a 


d 


a 


< 


a! 


JTj- 




U 








Z o 


a 


a 


a 


g 




a 


a a 




>- 


a 


o 


o 


o 


o 


<a 


(M 


L. 


< 


y 






^ 


Ui o 

X 
Ui 


o 






° 




o 


o o 




X 

Ul 

z 


a 


o 


o 




M 

-1 

0. 

z 


o 
a! 

0. 


C OIM 

-4 » 

-1 


O 


Of 3 


55 

to 


>• 

o 
o 


O lO lA 
O CM ^ 


Ui 


< 


















o 










M 


53 






»4 


5 J 


Ul 


UJ 


-1 o ^ 


z 


(/5 

u. 
u. 
o 




















^ 










0( 

o 


z 






M 


Ui • 


0( 


3 


o o 


w 
a 

< 
-1 
o 

Ui 
Q 


Ui 
Of 

4 
-1 

o 

Ui 

a 


















M 

o 

M 










»- 


Of 

o 
u. 


• 


CM 
(M 


• 
W 

3 


-.5 


z 

Ul 

-1 


< 


Ul m •* 

Z »4 « 

M 




















0. 
X 
Ui 










»- 
z 
o 
o 


z 


t- 




• 


< u 

z 

Ul 


< 
z 

Ui 


to 

Ul 

-i 
en 


-1 




a 

< 
-1 
o 

Ui 

o 














t 




& 










>• 


u 


*- o 


o 


b 


^» 


5 


< 

M 




tn 

Ul 

< 
z 
















01 




a 










ca 


^ 


• 


5 


m 


"*« 


Ul 


% 


U o «D 
















s 




^ 










a 

Ul 


3 


a 




II 

o 


a*.' 


14 

Z 


•» 


n CM K. 


a: 

Ui 

M 

u. 


C 
C 

• 


1 


n 




• 




*• 
m 




< 
-1 
o 

Ui 

a 


C 








a: 

d 

Ui 


or 

Ui 

a: 

Ui 


o 


C 


c 
a 

• 
c 


M 3 




-1 
« 
Z 

a; 

Ui 

»- 


LINE 

1 OBO 
32 000 




^ 


M 

Ul 




01 


1 


♦• 




o 




M 


O 


C 






• 


« 


^ 


'^ 


c 


u. t 


•^ •• 


X 




z 


1 


w 




a*> 




01 


■o 


Ui 


■ 


e 


1 




Ui L. 


Of 


c 


a 


• 


*•' 


1 


Ui 




M 


11 


s 

u 




1 m 




;i5S 


a c c 


s 

z 


8 


C 




1 (^ 


Si 




V> -1 


■^ 

2 


58 


n 


o 
z 





108 



To 



jw to use OCR and PDF C 



on go to out 



to 
n 

• 
o 

M 

O 



> 

e 



o 






O 
M 



to 

I 



O 

w 
o 

2 






X 

— » m 

— OK 

• ^ 
u — o 

• — • 

W — 

CMC — 

— u o m 

^ -4 (. c 

(. 4- • « 

o w w— -« 

S«-3 — M 
Ok* 

av*- e o 

m M n '^ 

— • 

O «-rO O •- 

*- m*- *- M 

e c 

(.nee <• 

•^ -^ «- •^ t- 

a M a a *- 

S SI I I 






fi «- — 

• u a a 

M '^ o 

• (0 3 

£ a c « 

W4- • 

• M M £ 
V M '^ • 

• '^ -^ o w 
K-< Au e 

(. <e (. 3 
o to *o o '^ 
o-w o • 
■o • ■" «. 
av (. a 

« « O AU 






3 
O 






O 



> 
I. 

C 



3 
01 



3 

a 



3 
O 









— e 

<x * 



«. * 

ami, 
am' 

a-D « 

at « 
e. („ e 
♦- «» ~ 



c 

^ *. -< * 
a a M f 
I 3 3: 






o 
o 



L 
o 

« 

a 

K 



(. o 



■H a 

I *• » 



eoutDoa^'a^^ i(u a 
--«.-- x-- • w a- - 

aaoaa-^aakLVavta 

<• A s • o •- a.-o '^ «. ~ <a • ■■ 



•o a 

L X" 

e B -4* 

o « •- I 



• » » » » I -•■ 
«a** ••aau 
<B 'O to a a •» a I t 

— «. — — X — — wwt 

a o a a-« a a c s. m 



o 
u 

A 

L. 

(• 

A 
TO 



i 



> > v 

• I. (. a ar 

■'6'^ ■ ■ !9 

gee • • 3 

• • '^ 4- a 



a aaaaaaaaa 



— t. 

L 3 « 2 Tl 

or U ■ • 
A ►- lax 
t. -o '^ 
-^■^ — a t 

■OTJ O • TJ 

!• V) • 

I. 

"4 O ^ •00 

13 • O J- • 

Ito • • <e 

tN -.* M 

• <e xt K 

Mt4 O C 'H 
3 lO 

A -o -« 
^ — (A •» 

f-h- o t ^- 

*"S • "S 

ui-r* » n 

CO'V WIN 
W4'-< -I (M 
(/>o — < a 

O 



-« -« C 

a at 

e -^ ^3 

• -^ « »^ -^ u 



•o 



r 
a 






aaaaaaaaac 
iiaaaaa-* — — £ 



t4 (u m ^ m to K 






s 



fO w 






a 



z 

1-t < 

|w M M •• LJ 

MZ O >- £ 
l-«0 Ul 10 U 

03 oaf 

>-UI Ul Ul 
-J-i M -J -i 
(OB Z CB B 
XXOX Z 
UiWMUiU 

i/ii»^ vt vt 

MMQ. (/I M 
«< O « < 



(Maaaaa(Maa(M(Ma(M(gaaa(go(g 

(M(M(M(Mna(gtete(M(M(M(Maaa(gaaa 
iniAiniAmnu>nininuMninNinh>inin(MT4 
fo lO fo M lo M w (yj^nmNnntennMtOK 

(Maa(Ma(Maateteacsl^aa.te'^Nl>-o 
NNtO-fMnT^amoainaa in fo cm a h> a 
aooKKaaooooooooaeeKa 
eoeh>h-aaaoaaaaoooe)ah>a 
oooKKoaooooeooooooKa 

vScsl(MCM(Mtea(Mtea(Mtea(Mtea> a a 

aiffliiiMiiiiiiai«ia«i«iiiiii(ii«'«aaiii#K' 

aT4(Mn^iA>o^oT4(Mra^iAiaN>eT4Mn 
aaaaaao044T4T4T4T4T4T4T4(M(MM(M 
o o a a o o o a oaooooo-ooooo 
ooooaaaaoaaaaocaaoaoa 
soaoaaaaeaooaaooaoso 
oooooooooooooooooaoo 



I (M 



(M I 



ran ^ t4 t4 

lO to ra ra a 

ram h. h. t4 

CM f>« t4 a to 



a a ^ 
M ^ N 



in in 



(M(M(M(Mraa(M(sj(M(M(M(MaaaA 
lnlnlnlnralnlnlnlnlnlnln^-ln^-ll' 
ratoratMraMraMraracMrarateraK 

(Maa(MoNo.^iOa(M^ a o to J 
(M(Mi04'NraT4inoainaoinraii' 
aaah-h>aasaaaaaaac 
aaaKKoaaaaaaaaae 



(0 \0 (O ^ \0 



to (M (M (M (M to I 



I (M tO a (M tO >B 



^ « in tO 10 K O 
(M M (M N (M M ra 



I O O O o 9 



uuouoouuu 



T4(Mra.#inteh-aT4(Mra.»inteKe 
rarararararara*******.»u« 



oooooooaaaaaooof 

0000000000000004 



UUUUUUUUUC 



109 



To leam how to use OCR and PDF C 



an go to out 



# 


•1 




M 


■IV 


• 


t 


c 


a 




•M 


M 


M 


• C 




u*- 


O 


• a 


■^ 


X 




3 


u 


(. C 


o 


o c 


♦• 


O ■te 


M 


•o 


c- 


aT> 


m 


a a 


t. 


t. e 



c 

• CM 

■ — 

3 a 

« • 

c • 
«- ♦- c. 

3 • 

a M jC 

*- m 
3 e M 
o u c 

cc^ 

•^ o ^ 
o • 

(. a 
o « T> 
■to t. r 

M 4- • 

* M 8 



» • 
• a 
an 



«< "^ c 

A ~ AC 

o e -• n -• 3 

• ■to»-< |»M»<L. 

C 



1 



I 






S:f!SS5S3gS « 



o o 




o o 


o o o 




SCSI 




CM CM 


CM o o 




o^ 




WW 


■H ^ ■r* 




OS 




lO lO 


n no 




CSI'r« 




» UN 


h> h> ^ 




>o^ 




CMK 


^ OlO 




h-O 




CM -t 


o o * 




KO 




lAin 


(M'^N 




h-O 




o o 


a a a 




h-O 




o o 


a a a 




h>o 




a a 


SOS 




h- 










<= 




\0 \0 


vO lO lO 




• » 




» » 


» « • 




« M 




m m 


« m A 


(/I 


Mm 


■t * * l/\ to <0 t- a 


■J 


lAin 


UMMMAin in U\ lO 


<t 


OS 


o 


a a a 


o o o o 


at 


o a 


o 


a a a 


a a a a 


ttJ 



00000^00 



110 



To i^arsi haw t?> use OCR and PDF C 



on go Id our w(?DS(k< 









A 






■» 








1 


'^ 

X 


e 


2 

■ 










• 


-« 


> 


(/) 






e 


■«-, 


^ 


"i 


u. 






A 


• 


1 


1 


UJ 


a 


m 


s 


"■ 


^ 


^ 


a 


■•^ 


"4 


>> 


• 


« 


• 


ij 


0) 


i*« 


Ul 


(. 


(. 


c 


UJ 














v> 















o 

a. 



z 

UJ 
Of 

o 

u. 

tn 

z 
o 









I a lA lA a a UV <4 < 
I a ^ ■* a a •* \t\ i 

I O t4 t4 O O t4 t4 ( 



Ift »< •* 1 

■t' K in ( 



W O N. « «M « •* = » ^- »<0 »< ^- 'J •* = * N J" O » •^'2'i' 

o N ^ o 'Ti ■» ^ o >s in ^ o N fo >s >s o N >s in o fo « >s in c 

ooaaaa oo a o < 

O O » O O » O = •* «M •* m O = O ^- •* O OKfOO <MK«I< 



M lA M HI ii» M <ii-in v« • « « m if» tO ■ « • in « • • in • • • « 

►- 

3 pj » * in >« i>- o »H«i » •* in >« ^- o »H N » in>OKo n m ■» in 

U_ 00000000000000^^*4*4*^ *4*4*4*4 W*4*4*4 

iTj oooooooooooooooooo ooao oooo 

a ooooooooaooooooooo oooe oaeo 

oooooooooooooooooo oooo oooo 



o 

a! 

O 



OK 



it 3 



i3 

X 



Ui 



X Hi 
lU »- 



• • 



o 
a. 



i 

111 



ai 



a. 



v> 


o o 


o 




ee 


J'O 


o 


» o 


X 


o o 




o o 


z 


o o 


o 


o o 


!;; 




M 




Ui 


m • 


8: 


ll» «• 


»< 




Ui 


O *4 




CM N 


^ 


*4 *4 


< 


o o 


z 


o o 


a; 


a o 


Ui 





To leam how to use OCR and PDF C 



on go to out 



3 

• 

M 

I 

— > 

m c 



M 
I 

> 

*- 
C 

o 

















« K ^ <» 


a 


<t 




^4* o^ 


a 


a 


a 


o 


ca^tf^^aooM 


a 


a o o o M 


a 


a 


a 


a o M 


M 








a 


o 


a 


a 


o 


a 


C3 


a 




o o a a 


^ 


^ 


a 


O C3 O O O 


a 


a 


a 


a 


O 


a 


a 


a o o ^ h. 


a 


^ 


e o ^ Pw o 


a 


a 


e 


'O 


aaoaoKUSM 


^ 


a 


o K U\ N ^ 


a 


a 


a 


a 


a 


a 


= 


a a ro a 


^OKOOtOo^K 


(\i 


a 


a 


a 


a 


a 


o 


o ^ <« ro 


a 


ro a a oto H tA 


\jD 


a 


a 


a 


a 


^ 


o 


K ro \0 o 


a 


K 


a 


a \0 a ro vO 




a 


a 


a 


a 


o 


o 


K o K o 


a 


K 


a a K o o K 


a 


a 


a 


a 


a 


a 


a 


K a K o 


a 


K 


a 


a Pw o o K 


^ 


a 


O' 


a 


a 


a 


o K o K a 


a 


K 


a 


a Pw a a K 


^ 


a 


a 


a 


o 


^ 


o K a K a 


a 


K 


a 


o K a a K 



mcannmiiifuiiimmro-in jMmro iajnia 






19 

z 



112 



To 



jw tD use OCR and PDF C 



on go Id our weDsUvi 




'-■^ ■-■ ■ leeeoe 




X HI 

s s 

gi l4j *■ " «iii«i •«•«••«««•«««««••<■ Maan 

O -I 

U. CO e ^ M m 4' in >SK e 'H CM ra « W» «D K a vttMM « lA (Site e ^ CM *o « U\ lO 

a: < e o e e «9 e C9 e ^ t4 ^ ^ ^ ^ ^ t4cm CM CMCM CM CMMCM mm fOf«> fo *o fO 

M H- eeoeoe e e eeeeeoaieaeeoeooaaeiaeoee 
eeeeeeaeoeeeeooeoeeoaei o o si a e e e o e 

-J ^ ooooooooooooooooooooooQieoaooooo 



o 


o 


a 


ea 


X 


K 


>■ 


*• 


v> 


v> 



113 



To leam how to use OCR and PDF C 



an go to out 





<o 


o 
4' 




n 


at 
n 






» • • 
h> in o> 








a 










'M 





w 


-^ 






1-4 


— « 






-1 


•■ 






Ul 


a 






o 


u 






z 


L 






Ul 


3 


(Daisnaioisisa 




a; 


O 






u 


(/> 






u. 




^ 




UJ 








oe 








iH 








o 








a: 








a 








>- 








-1 




a 




CO 




L. 




X 




•». 




UJ 




1 




vt 




e 




v> 




•^ 




« 




1 

<3 W 




vt 


^ 


■^ ■^ 




u 

1-4 


s 


i: a -."'.'^T.S 




t- 


S 


• BXncrcracL 




-1 


>- 


'^-^-••^'O'oi.ee 




2 


(/> 


» •- •• 0>— • '^ « K 


S 






aN^4'.»ot04' 


s 






in m csi in in in in 


Oi 



IIU 



To ._ . jw to use OCR and PDF C _ on go to our weDsilo 



APPENDIX C 
Trap door In check$devlce_name Listing 

This appendix contains listings of the trap door 
inserted In check$device_name in Section 3.I+.5.2 and the 
two modules needed to call the trap door. 

Check$devlce_name is actually one entry point In the 
procedure check$device_i ndex. The patches are shov;n in 
the assembly language listing of the code produced by the 
PL/i compilation of ch8ck$device_i ndex. Most of the 
patches were placed in the entry sequence to 
check$devlce_lndex/ taking advantage of the fact that PL/ 1 
entry sequences contain, the ASCII representation of the 
entry name for debugging purposes. Since the debugger 
cannot run In ring 0, this is essentially free patching 
space. Additional patches were placed at each return 
point from check$devlce_name/ so that the trap door would 
be executed whenever check$devlce_name returned to Its 
cal ler. 

Zg is a PL/ 1 procedure wiiich calls the trap door to 
either read or write any 36-bit word accessible in ring 0. 
Zg uses zdata, an assembly language routine, to define a 
structure in the linkage section which contains machine 
instructions with which to communicate with the trap door. 

The trap door algorithm is as follows; 

1. Set the bp register to point to the argument rcode. 
Rcode has been bound to zdata$code In the procedure call 
from zg and must lie on an odd word boundary. 

2. Compare the double word at bp|l with the key string In 
the trap door to see If this Is a legitimate user calling. 
!f the keys do not match, then just return. if the keys 
do match/ then we know who this is and must proceed. 

3. Uo an execute double (XED) on the two Instruction at 
bp|3. This allows the caller to provide any instructions 
desi red. 

k. The two Instructions provided by zdata at bp|3 and 
bp|5 are Idq bp|5 and stq bp|7. Bp| 5 and bp | 7 contain 
pointers to tiie locations from which to read and to which 
to write, respectively. These pointers are set in zg. 

5. Finally, the trap door simply returns upon completion 
of the XED pair. 
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APPENDIX D 
Dump Uti 1 1 ty Listing 



This appendix is a listing of a dump utility program 
designed to use the trap door shown in Section 3.U.5 and 
Appendix C. The program, zd, is a modified version of the 
installed Multics command, ri ng_2ero_dump/ documented in 
the tlEM Systems Programmers ' S upplement <SPS73>. Zd v^i 1 1 
dump any segment whose SDW in ring zero is not equal to 
zero. In addition, zd will not dump the ring zero 
descriptor segment, because the algorithm used would 
result in the ring k descriptor segment being completely 
replaced by the ring U descriptor segment which could 
potentially crash the system. Zd will also not dump 
master procedures, since modifying their SDW's could also 
crash the system. 
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APPENDIX E 
Patch UtII I ty Listing 

This appendix is a listing of a patch utility 
corresponding to the dump utility in Appendix D. The 
utility, zp, is based on the installed Multics command, 
patch_ring_zero, documented in the M£B System Programmers ' 
SMpplem^nt <SPS73>. Zp uses the same algorithm as zd in 
Appendix D and operates under the same restrictions. A 
sample of its use is shown below. Lines typed by the user 
are underlined. 

m &^ SM. 123171163101 1U4155151156 

560 10U162155151 to 123171163101 

561 lUUGUOGUOOUU to 1UU155131156 

Type "yes" if patches are correct: ves 

As seen above, tlie command requests the user to confirm 
the patch before actually performing the patch. The patch 
shown above changes the user's project identification from 
Druid to SysAdmin. 
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APPENDIX F 
Set Dates UtJ 1 J ty Llstlnj^ 

This appendix Is a listing of the set dates utility 
described In Section S.U.tf. The get entry point takes a 
pathname as an argument and remembers the dates on the 
segment at that time. The set entry point takes no 
arguments and sets the dates on the segment to the values 
at the time of the call to the get entry point. Set 
remembers the pathname as well as the dates and may be 
called repeatedly to handle the deactivation problem 
discussed in Section 3.U.U. 



Itftf 



To leam how tD use OCR and PDF C. A)n go to ou» 



e » 

a e • 

«♦-■-«. • 

:» W — 



~ CM 



e 



X) 



at 

3 






w 

*- c. 
• •'^ 
at — -o 
•^ • 

z ■ .4 
w o • 

W M « 

</I N »< 

-I 

u. a. 
o « 

M K 
13 O N 

2: •^ o 

>-«■♦- •rt 

^» — N a 

M 3 ^ • 

MX O « 



z >> c w 

O A O C 

M O 

^ -OX) -^ 
a. a a 

S5S 



u 

o 



& t 



N 



o 









at 



o 
a 



e c 



e c 

A a 

j> •> 

• c. 

— a. 



• c > 

^ n m 

a. — 
r> a 

• • flj 
c X — 

JO ■^ a 

> 

• c 

-4 O C 

»- — o 
>•♦• 

ti:% 

*■ c 
e • >• 

• c. 



e 

X 



c. 
a 



(. 
^ 



■o — 

X 

- a. 
«« 
• •> 

• 
• 

£ C. 

U « 

> £. 
U 



^ — ~ ■ 
a ^ •» «» 

— u 

•o -« ■ 

Sea o 
• c. 

•> £(M 

•• 5 •• 

to u o 

~ M 
«- tS d 

•4 fo e 

3 4.<« 
•o « — 

(SUA 

•H -• • 

"«« a 

■ 3 



;• 



> 



• — 

(» 

e *- 

O M 



■ 

m 

a. 

m 
> 






at 



N 



€ 



e 
c. 
a 

c 
e 



< • 



la I 
o> It 

i. 'O (. 

• c • 

<• (s r 

« I OS 
U 3 X O 
■O O tt » 



• 
c — 
n 
£ (. 

U <« 

u 

Jo — 

c 

*• > 

c s. 

e -«- 

01 • 

c 

— « 
I*- 

M at 

3 "O 
*■ I 
(9 '" 



I (9 •^ 



«• <• 
I I 
M M — 
O O O 
£ fO 



t 

t 
t «- 



c -« — 

— a. 

u at 

o -< t 

-< ^ (• 

lA • 

4- W 

4- C W 

c -^ « 



C C «(si — 
•^ *^ « fO a 
A A >0 •^ L 

•o •o — c«- 

• • a a 
c X X cr c 
4- -4 -^ a o a •• 
a** •• £ £ t. 
o >• o *• 
a-> a c. a 

c c. o -• c c. a 

a a u 'o a • A 



a 
c 

3 



• to 



a ■ 

C4- 

a 

^ • 
c 3 
■^ ^ 

•o 

a • 
c -o 

-t X) 

a • 

a 

a a 

m 4- 

» ^ «' 
u 

TI'H CM 



<o a ja 

«4 ^ 
— •D » 

M 

^ • It 

•^ ^ a 

A \0 O •• 

t • •S 

c 4-~ o 
•4 « u 



'H .^ ^ at 



a fo 

M — 

a • 

• 4- ~ 

a -4 * 
a~ c. A 

C IM O 

»«- o •o 

•^ a -^ 

— 4- CO 



a 
at 
c. 
a 



c. 
a H 

3 a o 



a » - 
uara^ ^ _ 

C O'HM— UTITI 

a >.— — a o 
C.4- c •* u 

— A — 4-4- 3 -» 

u —-^ m'— 

TI«4(MAA>* U-^ 



a 
•o 
o 
u 



I 
t 

:• 

o •• 

u c 

c. 

— 3 

— ^ 

a • 
u c. 



o 
u 






e 
a 



c. 
•o 
•o 
a 



•o 



c. 
•o 
•o 
a 



oi 

c. 
a 



a 

OI 

a 



a 

•o 



a 

M 



^1 



a 

C H 

at 
Q •• 

X a o 
aw 

o 
••>— u 

•o — 
c a»- 
a o -« 



OI 

c. 
a 



9 

•o 
o 
u 



I 

■ 

o •• 

u c 

c. 

— 3 



N 



I 



o 

u * 

N 



a 

A 



c. 

•J, 

- I. 
c. c 

«- o 



at 
c o 

•» O 01 
C 3£ 

a •^ •^ 

^4- o 
w M 

<• H 
(. It 
•O M 

'D u a 
a £ 'o 

o 

•» H — O 

•o — 
c Q a >^ 
m a ii -^ 



m 

0) •» •» •» 

'^ 'o 3 a 

T> ^ ^ ^ 

• •o •o •o 

£ • • • 

a c c c 
L a a a 

A C. C. C. 
AAA 

II 

H H I! 

■ 

a 'o 3 e 
•^ •^ •^ •^ •» 

'O 'O -o 'O c 

• • • • L 

a a « a 3 
e e a B'^ 
•^ •^ -* -^ a 
^ ■^ ■^ ■^ I. 



a 
at 






o 

c 

C 

a 



WWW*lftvO^«00>0'4MI<> 






1U5 



To leam how to use OCR and PDF C 



m go to out 



V 




• 


V 




• 


tarn 




«« 


M 


» 


» 


o 


•^ 




n 


*■ 
a 




• 




c 


' • 


*• 


£ 




•^ 


^ 




m 




u 


O 






• 





■^ 


■ 




•-• 


M» 


♦• 


M» 


• 


« 


£ 


o 


■♦- 


u 


♦• 


^ 


(B 


M» 




• 


M 


s 


• 


h4 


3 


♦• 


^ 


*m* 


M 




> 


% 


• 


■o 


C 


IS 


*- 






•« 


O 


>» 


♦• 


c 




♦• ••• 


■♦- 


C'Tl 


c 


« 1. 


• 


c 


B 


• ■ 


Ol 


c 


« 


-• o 


M 


•O •(- 






(0 


o 




w ot 


c 


• 


o 


4- e 


M 


^2 


■ 


!>• 


•^ 


♦• 


(« 


» o 


•o 


w 




<• n 


a 


M 


£ 


M 


♦• 


U • 




£ -O 


« 


o 

— o 




• •- 


o 


o -^ 


♦• 






• •» 


>> 


■a 


t 


g 


c 




UJ 




• 




V 




>0h> 00 <>« o 1-1 


IMA UN lA 10 10 



llt6 



To team hovt to use OCR and PDF C 



on go to our vi&>. 



HI 

o 

X 

w 
a 



OS 



3 

m 



M 

U a 
■O ■* a 

-o *• 

• • a 

&«-* 
•^ ♦• »>. 

— « n 

• M 

§ * » 

■O •• 

• •• • 
•K U C 

a ^ 

• M 
CSJ c 



> « — 

i5« 



lA 
M 






at 









At 



_ "SS - -. 



Ob s* 

a lA 

et ®> <e OS <4 14 (» c9 

* ■ ■» 

K. 9: »: • •: «, •. • • K 

Ns @ e e «••-•■• M 

Q» - ■ «• 

A»M t, t* fit ta Sitf* M N M «. 



CM 



9> 
lA 



■O K 

-Q » 
IS • W r<> 

■» e n 

m in 

K -^ Ut M <pl 

n •-> ^ m 
a ~ 

» 3 J -O m 



IS 

c 

•• « < 

® c 

t. 3- 



ss « u w 

'S ^ IS ts 

■® 4? ■«»■ IS" 

c e c 

•^4 ^ *is-J «^ 



u 6 w 

s e» '«* 

e e e 

ra oi a 



«• 'Q <K ^ < 

• a e ® e 
6. iVLX &. 

u u 

♦■ « ♦• o, *■ 

9 a • a, @ 
V) IK m 

J* * * 

^ «* ^ -» -r^ 
_ 3> _ > M 

It a u a O 
•o — •o — « 



' « -g <e ' 






0) -) O o 

(a e 4> « 
a y ffi ffi. I 



SB ^ _ 

§§§! 
■© ■© w 

e> mm 
w u u 

S 8. 



UtIA m Ul tA lAIMA m lA 
M «tf « M Ctl M At M At ly 

^. _«,5^. _-.«.— « — — 

u u it m uwotewuuubuu 

eee eeseceee cc 

atatSoKOt w «<B oatwotaiAi an 



§sil££Sf§gSSS§§«§S 



<» u w # 



we 



MM 

C 

« « 
X • 

• — 



e 

+- s» 
X e 

« — 



(iiJoBMMNtVICUCViAIM — 
® * 

• e e • ti • • 



(■ a. 

c-c 

• « 



• • e K X 



»«B«a««a«««f 
aa>aaaaaaaa 

(ViCM'->(V(MAt(M(M^CM(M 



lA 



•• • 
• C 
e tO C. 
10 « •* 

r* lA 

n a 

N» * — — 

U U 

*• *• Tl Tl 

t t — — 

« a 

W o c c 

•• — ^ ^ 

U U X X 



«r» 

lA 



0« 
lA 



■» 






K lA 



h> lA 



m m 



trm 
e c 
t. (. 

«i • 
♦■ ■♦- 

e. c 
-I •-• 



0. 






VI 

< 
o 
ut 

z < 

o oe 

M O 

I- »- 

<« (/) 

-I 

M O 

it 3 

o 
o 

(/> 

M 

X 1~ 

I- ut 

Z U. 



O 



O 

o 
m 






Z 

u 



c « c 

(O _ • * a.^ 
n T>^ N 4- u ti 

^•X«44--4t.X 















U ti O O O O *i 

•^ M^ "^ "-^ •^ "^ "^ 

^ ^ ♦•■♦-■♦- .^ ■«- 
IS ID 9 s e « « 

0*000900 

3H3333 33 

ID A <P « M » ■ * 

>0 N o <S J^ >0 m 

SO O O O €3 O 
»< 3 W -H r« W 
^o ooocsoo 
Zo oe30oa~ 
UJ o 
Z 
UJ » 



U 

u 
o 



\J& *% <s» 

> ^ fcC td 

— m »o 
' fc""•-' 
> a .^ ^ 

I £ ^ ^ 

u u 

«.. •♦" 

A 19 
^ ♦• 
I* I/I 



tfi 4A «fi 
«tf ^tf •««> 
«» ♦i ^ 

■n« (^ «4 

U U 



«« ^ #« At 

•a 10 40 m 
» N» w — 

** ** ^rf t 
^ «> >i a 
-• -^ -^ £ 

A A A U 



c. 

0^ '»» .«««>% 3 ^ 

>.«iA <0 ^^ (nT4 ^ u Aim 

^««w«f»«.www3ww 





§§ 






_i ^ 






♦■ ♦• 






u u 






c c 


U a Al 




3 3 


•^ >0 a 




*• *• 


^ m »4 
a 




c c 


^ 




— •«< 


lA 


•>—>>>. 


^ •^ 




• » c. c. 


^ ■" 




a a^-*- 


«• •^ 




« ■ c c 


:» 3 




-- • • 


^1 A 








M 

u u 



uuuuuuuu 



u u 



C4- 

a a 

4- ■ 
M O 
C*- 

O 3. 

u a 

■4' 10 ( 

es & • 






^ » ♦• « ♦• 



e 3 
u a 



o o e$ O O £3 4 



I C3 O G 



e « c 

!L ac. 
« o e 

>^ 4b 4w 

C 3 C 

•«« a •^ 

C3 tS A) 

<H O ff^ 
O -tpt o 

o o o 

a o ra 

C3 ^ O 



« a 
ace 

■ &...&., 
o « a 
*■*•«- 

sec 
® -« -« 

>a At At 

es l>» f>. 

'H O O 

o o a 
o a 

o ^ o 



«-a't-aecc4>^ 



l£8£ 

o • o a 

3 C 3 C 

a "• a -^ 



tS Al t0 At 

C3 o a o 

e> o a o 

O) o o o 



S88 88S518 

ooooooaoo 

333333C33 

» m m a » n -^ m It 

I0I0«0\O|0^M«OI0 

aaaoooaaaaaaao 

^ o o I 



I At a tO >0 



e c c c 

m a a a 
^ ♦- ^ ^ 

M M M M 
e C C C 

o o o o 
u u u u 

^ 10 ra ^ 
■»' a ^ At 
^ »4 oN 



z 
o 



oooooooooooooo 



* -.^ in «s »4 Al At 



« « Al « miA «0 

o ^ a ^ o a ^ 
^^ «« ^^ «««««««« 
onacsoaron 



O 

Ut 

a 

(/> 

ut 



a 
I I 

«- £ (. X £. C 

e w «i «9 a e 
— au ea Ixtwu 



4- — aU ealX>W'» ..(■.il*,..II.»l«'ai^rai:n|>'» 

uoiaieB'to s'oaa ii&,isiL''oi'@9eaia334>awM:^%M<iaT>«u 



H ® 

I ""8 ■ 
jc a w 

♦■■OS 

a 94- 

1» 4- 

^ w te ^ 

> e «» •» 9 

i. 8 I f9 & I m 

----- —{Hi 

e 



at M 
CO 

A»0 O 



M o r>. 

o 


— Al >0 

a 
>. 



• a - 
■ ao 

.4.4-3 



• a 


a a a 


O 




Of 




^ o 


a aa 


M 




IS 


j£ a Al 


X a 


a aa 


_t 




o 


C lA ^ 


Ut 




a 




a; 


•4fO T^ 


^ 




z 




a. 


-t 


z 




M 








o 








vt 




8 




g 




M 

X 




►- 








►- 




M 




►- 








u 




X 




Of 


^ a a 


M 




UJ 




o 


X >o 


-1 




►- 




u. 


a Al 


0. 




z 






»- 


X 




o 




(/) 




UJ 




u 




z 




^ 




% 




« 


^ a Al 


o 




Q 




^ 


SI s 


^ 




!il 




3 


a 


«c 




< 




or 


o 


_t 




-t 




!^ 




u 




u 




ae 




Ul 




ut 








o 




o 




UJ 

lA 


£ 


v> 


u 


(/> 




« 


4-4- 


Ut«4 


O 


UJ L 


«M 


Of 


c. at 


i^ 


L ^ ^ 


ae 1 


1 


o 


t/l _t 



lli7 



To leam how to use OCR and PDF C 



on go to out 



U*>4K 

Oa«4IA 

SS8 



issd 



M 



I U *< 10 (ft 

M o(><a 



u w rw • a 



oeet 



uj in ts o> 

I 3 

I S o * * s 

4- a Jica w^n^ 

XX a ao 



• u loin « 



« 4 

Of « 

s s 

a. a. 



(. 

V 3 >- 

ID 4> (O 

• 

O (. O (. 

UJ UJ 4. 

v> -I a w 

3 -I I (/> -I 

UJ S? 3 

o£ a t- 

< UJ M 

(/> >• 4 3 O) 

Q( 3 U U O i4in 

00(/> O OM^Ti 

h- I UJ UJ -I a i4 cu 

4 >• t-l (/> C3 O O 

o; X Of 3 o o o 

UJ ■ h- o a a 

O. I Z UJ 

O— UJ S UJO(Mt4 





o rw <M^■ 


• 


o ra ■»' t4 


z 


-1 a «4Cu 


< 


o a o 


o; 


o oa 


(A 


o a a 


o 




oc 


UJ H «(M 


a. 


z m -t in 



z w * m 



-in -I 

« o ■< (/> 

Z Z UJ 

Of a: -I 

UJ UJ o 

5 w x oi 3 

UJ « UJ c ee 

r> o <f u N ts ra 

Z 4- 2 I -I a 'HN 

t-l3MM-l OOO 

X o X 3 4 a so 

O I O 4- Z O so 

-14- -I l« Of 

-IX -IC4- UJ m rt oa 

0»OC.M»- Z^UV 



I I UJ 

I — Ui - - 



UJ — Ui ■ w 

X • X e u 



ll»8 



( 



To learn how to use OCR and PDF C. <}n go to out 



GLOSSARY 



Access 



"The ability and the means to approach, communicate 

with (input to or receive output from), or otherwise 

make use of any material or component in an ADP 
System." <DOD73> 



Access Control List (ACL) 

"An access control list (ACL) describes the access 
attributes associated with a particular segment. The 
ACL is a list of user Identifications and respective 
access attributes. It is kept in the directory that 
catalogs the segment." <HIS73> 



Active Segment Table (AST) 

The AST contains an entry for every active segment in 
the system. A segment is "active" if Its page table 
is In core. The AST Is managed with least recently 
used algori thm. 



Argument Validation 

On calls to inner-ring (more privileged) procedures, 
argument validation Is performed to ensure that the 
caller Indeed had access to the arguments that have 
been passed to ensure that the cal led, more 
privileged procedure does not unwittingly access the 
arguments improperly. 



Arres t 



"The discovery of user activity not necessary to the 
normal processing of data which might lead to a 
violation of system security and force termination of 
the actlvi ty." <nOD73> 



lk9 



To leam how to use OCR and PDF C. on go to our 



Breach 



"The successful and repeatable defeat of security 
controls with or without an arrest, which if carried 
to consummation, could result in a penetration of the 
system. Examples of breaches are: 

a. Operation of user code in master mode; 

b. Unauthorized acquisition of I.D. password or file 
access passwords; and 

c. Accession to a file without using prescribed 
operating system mechanisms." <D0D73> 



Call Limtter 



The call limiter is a hardware feature of the HIS 
6180 which restricts calls to a p;a te set^ment to a 
specified block of instructions (normally a transfer 
vector) at the base of the segment. 



nate Time Last Modified (DTM) 

The date time last modified of each segment is stored 
in its parent directory. 



Date Time Last Used (DTU) 

The date time last used of each se.ement is stored in 
its parent directory. 



Deacti va tion 

Deactivation is the process of removing a segments 
page table from core. 



Descriptor Base Register (DBR) 

The descriptor base register points to the page table 
of the descriptor segment of the process currently 
executing on the CPU. 



Descriptor Segment (DSHG) 

The descriptor segment Is a table of segment 
descriptor v/ords which identifier; to the CPU to v/hicb 
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segments, the process currently has access. 

Dl rectory 

"A directory is a segment that contains Information 
about other segments such as access attributes^ 
number of records, names, and bit count." <I!iS73> 

erne r gene y_shut down 

"This mastermode module provides a system reentry 
point which can be used after a systerr^ crash to 
attempt to bring the system to a frraceful stopping 
point." <SPS73> 



Fault Intercept Module (fim) 

The fim Is a ring module which is called to handle 
most faults. It copies the saved machine state Into 
an easily accessible location and calls the 
appropriate fault handler (usually the signaller). 



Gate Segment 

A gate segment contains one or more entry point used 
on Inward calls. A gate entry point is the only 
entry in a inner ring that may be called from an 
outer ring. Argument validation must be performed 
for all calls into gate segments. 



General Comprehensive Operating Supervisor (GCOS) 

GCOS is the operating system for the Honeyv^el I 
600/6000 line of computers. It is very similar to 
other conventional operating systems and has no 
outstanding security features. 



HIS 6U5 

The Honeywell 6ti5 is the computer originally designed 
to run Multics. It Is a modification of the HIS 635 
adding paging and segmentation hardware. 
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HIS 6180 



The Honeyv/ell 6180 Is a follovz-on desl?rn to the (IIS 
645. The HIS 6180 uses the a'^lvanced circuit 
technology of the HIS 6080 and adds paging and 
segmentation hardware. The primary difference 

between the HIS 6180 and the HIS 6U5 (aside from 
performance improvements) is the addition of 
protection ring hardware. 



hcs_ 



The gate segment hcs_ provides entry Into rlnsr for 
most user programs for such functions as creating and 
deleting segments, modifying ACL's, etc. 



hphcs_ 



The gate segment hphcs_ provides entry into rlnr D 
for such functions as shutting the system down, 
hardware reconfiguration/ etc. Its access is 
restricted to system administration personnel. 



ITS Pointer 



An ITS (Indirect To Segment) Pointer Is a 72-bit 
pointer containing a segment number, word number, bit 
offset, and Indirect modifier. A Multlcs PL/ I 
aligned pointer variable is stored as an ITS pointer. 



Known Segment Table (KST) 

The KST Is a per-process table v;hich associates 
segment numbers with segment names. Details of Its 
organization and use may be found In Organlck. 
<ORG72> 



Linkage Segment 

"The linkage segment contains certain vital symbolic 
data, descriptive Information, pointers, and 
Instructions that are needed for the linking of 
procedures In each process." <ORn72> 
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Master Mode 



When the HIS 6U5 processor is In master mode (as 
opposed to slave mode)/ any processor instruction may 
be executed and access control checkfn?^ is inhibited. 



Mul tics 



Mult'icS/ the Multiplexed Information and Computin;? 
Service, is the operating system for the HIS 6U5 and 
HIS 6180 computers. 



Multi-Level Security Mode 

"A mode of operation under an operatinf?; system 
(supervisor or executive prop;ram) which provides a 
capability permitting various levels and cates^ories 
or compartments of material to be concurrently stored 
and processed in an ADP system. In a remotely 
accessed resource-sharing system, the material can be 
selectively accessed and manipulated from variously 
controlled terminals by personnel having different 
security clearances and access approvals. This node 
of operation can accomodate the concurrent processing 
and storage of (a) two or more levels of classified 
data, or (b) one or more levels of classified data 
with unclassified data depending upon the constraints 
placed on the systems by the Designated Approving 
Authority." <DOD73> 



OS/360 



Page 



OS/360 is the operating system for the IBM 360 line 
of computers. It is very similar to other 
conventional operating systems and has no outstanding 
security features. 



Segments may be broken up into 102U word blocks 
called pages which may be stored in non-contiguous 
locations of memory. 
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Pene tra tlon 



"The successful and repeatable extraction and 
Identification of recognizable information from a 
protected data file or data set without any attendant 
arrests." <DOD73> 



Process 



an 



"A process is a locus of control km thin 
Instruction sequence. That is, a process is that 
abstract entity which moves throup:h the instructions 
of a procedure as the procedure is executed by a 
processor." <DEN66> 



Process Data Segment (PDS) 

The PDS is a per-process segment v/hlch contains 
various information about the process including- the 
user Identification and the ring stack. The Pns is 
accessible only in ring or in master mode. 



Process Initlization Table (PIT) 

The PIT Is a per-process segment which contains 
additional information about the process. The PIT is 
readable In ring k and writable only in ring 0. 



Protection Rings 

Protection rings form an extension to the traditional 
master/slave mode relationship in which there are 
eight hierarchical levels of protection numbered 
7. A given ring H may access rings M through 7 but 
may only call specific gate segments in rings to 
N-1. 



Reference Moni tor 

The reference monitor is that har'-h'/are/scf tv/ar a 
combination which must monitor a 1 1 references by any 
program to any data anywhere in the system to ensure 
the security rules are followed. 

a. The monitor must be tamper proof. 

b. The monitor must be invoked for every 
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reference to data anywhere in the system. 

c. The monitor must he small enou,p;h to be 

proven correct. 



Segment 



A segment Is the logical atomic unit of Information 
In Multics. Segments have names and unique 
protection attributes and may contain up to 256K 
words. Segments are directly Implemented by the HIS 
61*5 and HIS 6180 hardware. 



Segment Descriptor Word (SDW) 

An sdw is a single entry In a Descriptor Segment. 
The SDW contains the absolute address of the pape 
table of a segment (If one exists) or an Indication 
that the page table does not exist. The SDW also 
contains the access control information for the 
segment. 



Segment Loading Table (SLT) 

The SLT contains a list pf segments to be used at the 
time the system Is brought up. All segments In the 
SLT come from the system tape. 



s Igna 1 ler 

"signaller is the hardcore ring privileged procedure 
responsible for signalling all fault and 

interrupt-produced errors." <SPS73> 



Slave Mode 

Vi/hen the HIS 61*5 processor is In slave mode, certain 
processor Instructions are inhibited and access 
control checking is enforced. The processor may 
enter master mode from slave mode only by signalling 
a fault of some kind. 
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Stack Base Register 

The stack base register contains the segment number 
of the stack currently in use. In the original 
design of Multics, the stack base was locked so that 
interrupt handlers were guaranteed that it always 
pointed to a writable segment. This restriction was 
later removed allowing the user to change the stack 
base arbl trar I 1 y. 



subverter 

The subverter is a procedure designed to test the 
reliability of security hardware by periodically 
attempting Illegal accesses. 



Trap door 

Trap doors are unnoticed pieces of code which may be 
inserted Into a system by a penetrator. The trap 
door would remain dormant within the software until 
triggered by the agent. Trap doors Inserted into the 
code Implementing the reference monitor could bypass 
any and all security restrictions on the systems. 
Trap doors can potentially be inserted at any time 
during software development and use. 



WWMCCS 



V/WMCCS, the World Wide Military Command and Control 
System, Is designed to provide unified command and 
control functions for the Joint Chiefs of Staff. As 
part of the WWMCCS contract for procurement of a 
large number of HIS 6000 computers, a set of softvyare 
modifications were made to GCOS, primarily in the 
area of security. The WV/MCCS GCOS security system 
was found to be no more effective than the unmodified 
ncOS security, due to the inherent weaknesses of GCOS 
i tself . 
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